vault

package
v1.13.11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 21, 2023 License: MPL-2.0 Imports: 178 Imported by: 364

Documentation

Index

Constants

View Source
const (

	// for testing purposes (public as needed)
	ActivityLogPrefix = "sys/counters/activity/log/"
	ActivityPrefix    = "sys/counters/activity/"

	// Number of client records to store per segment. Each ClientRecord may
	// consume upto 99 bytes; rounding it to 100bytes. This []byte undergo JSON marshalling
	// before adding them in storage increasing the size by approximately 4/3 times. Considering the storage
	// limit of 512KB per storage entry, we can roughly store 512KB/(100bytes * 4/3) yielding approximately 3820 records.
	ActivitySegmentClientCapacity = 3820
)
View Source
const (
	AESGCMVersion1 = 0x1
	AESGCMVersion2 = 0x2
)

Versions of the AESGCM storage methodology

View Source
const (
	// CoreLockPath is the path used to acquire a coordinating lock
	// for a highly-available deploy.
	CoreLockPath = "core/lock"

	// ForwardSSCTokenToActive is the value that must be set in the
	// forwardToActive to trigger forwarding if a perf standby encounters
	// an SSC Token that it does not have the WAL state for.
	ForwardSSCTokenToActive = "new_token"

	WrapperTypeHsmAutoDeprecated = wrapping.WrapperType("hsm-auto")

	ErrMlockFailedTemplate = "Failed to lock memory: %v\n\n" +
		"This usually means that the mlock syscall is not available.\n" +
		"Vault uses mlock to prevent memory from being swapped to\n" +
		"disk. This requires root privileges as well as a machine\n" +
		"that supports mlock. Please enable mlock on your system or\n" +
		"disable Vault from using it. To disable Vault from using it,\n" +
		"set the `disable_mlock` configuration option in your configuration\n" +
		"file."
)
View Source
const (
	CORSDisabled uint32 = iota
	CORSEnabled
)
View Source
const (

	// maximum number of irrevocable leases we return to the irrevocable lease
	// list API **without** the `force` flag set
	MaxIrrevocableLeasesToReturn = 10000

	MaxIrrevocableLeasesWarning = "Command halted because many irrevocable leases were found. To emit the entire list, re-run the command with force set true."
)
View Source
const (

	// Error constants used in the Authorization Endpoint. See details at
	// https://openid.net/specs/openid-connect-core-1_0.html#AuthError.
	ErrAuthUnsupportedResponseType = "unsupported_response_type"
	ErrAuthInvalidRequest          = "invalid_request"
	ErrAuthAccessDenied            = "access_denied"
	ErrAuthUnauthorizedClient      = "unauthorized_client"
	ErrAuthServerError             = "server_error"
	ErrAuthRequestNotSupported     = "request_not_supported"
	ErrAuthRequestURINotSupported  = "request_uri_not_supported"

	// Error constants used in the Token Endpoint. See details at
	// https://openid.net/specs/openid-connect-core-1_0.html#TokenErrorResponse
	ErrTokenInvalidRequest       = "invalid_request"
	ErrTokenInvalidClient        = "invalid_client"
	ErrTokenInvalidGrant         = "invalid_grant"
	ErrTokenUnsupportedGrantType = "unsupported_grant_type"
	ErrTokenServerError          = "server_error"

	// Error constants used in the UserInfo Endpoint. See details at
	// https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
	ErrUserInfoServerError    = "server_error"
	ErrUserInfoInvalidRequest = "invalid_request"
	ErrUserInfoInvalidToken   = "invalid_token"
	ErrUserInfoAccessDenied   = "access_denied"

	// The following errors are used by the UI for specific behavior of
	// the OIDC specification. Any changes to their values must come with
	// a corresponding change in the UI code.
	ErrAuthInvalidClientID      = "invalid_client_id"
	ErrAuthInvalidRedirectURI   = "invalid_redirect_uri"
	ErrAuthMaxAgeReAuthenticate = "max_age_violation"
)
View Source
const (
	DenyCapability   = "deny"
	CreateCapability = "create"
	ReadCapability   = "read"
	UpdateCapability = "update"
	DeleteCapability = "delete"
	ListCapability   = "list"
	SudoCapability   = "sudo"
	RootCapability   = "root"
	PatchCapability  = "patch"

	// Backwards compatibility
	OldDenyPathPolicy  = "deny"
	OldReadPathPolicy  = "read"
	OldWritePathPolicy = "write"
	OldSudoPathPolicy  = "sudo"
)
View Source
const (
	DenyCapabilityInt uint32 = 1 << iota
	CreateCapabilityInt
	ReadCapabilityInt
	UpdateCapabilityInt
	DeleteCapabilityInt
	ListCapabilityInt
	SudoCapabilityInt
	PatchCapabilityInt
)
View Source
const (
	RollbackDefaultNumWorkers = 256
	RollbackWorkersEnvVar     = "VAULT_ROLLBACK_WORKERS"
)
View Source
const (
	RecoveryTypeUnsupported = "unsupported"
	RecoveryTypeShamir      = "shamir"
)
View Source
const (

	// TokenLength is the size of tokens we are currently generating, without
	// any namespace information
	TokenLength = 24

	// MaxNsIdLength is the maximum namespace ID length (5 characters prepended by a ".")
	MaxNsIdLength = 6

	// TokenPrefixLength is the length of the new token prefixes ("hvs.", "hvb.",
	// and "hvr.")
	TokenPrefixLength = 4

	// OldTokenPrefixLength is the length of the old token prefixes ("s.", "b.". "r.")
	OldTokenPrefixLength = 2

	// GenerationCounterBuffer is a buffer for the generation counter estimation in the
	// case where a counter cannot be retrieved from storage
	GenerationCounterBuffer = 5

	// MaxRetrySSCTokensGenerationCounter is the maximum number of retries the TokenStore
	// will make when attempting to get the SSCTokensGenerationCounter
	MaxRetrySSCTokensGenerationCounter = 3

	// IgnoreForBilling used for HCP Link batch tokens and inserted into the InternalMeta
	// Tokens created for the purpose of HCP Link should bypass counting for billing purposes
	IgnoreForBilling = "ignore_for_billing"
)
View Source
const (
	// ControlledCapabilityPolicySubsetError is thrown when a control group's controlled capabilities
	// are not a subset of the policy's capabilities.
	ControlledCapabilityPolicySubsetError = "control group factor capabilities must be a subset of the policy's capabilities"
)

Error constants for testing

View Source
const (
	EnvVaultDisableLocalAuthMountEntities = "VAULT_DISABLE_LOCAL_AUTH_MOUNT_ENTITIES"
)
View Source
const (

	// Internal so as not to log a trace message
	IntNoForwardingHeaderName = "X-Vault-Internal-No-Request-Forwarding"
)
View Source
const (

	// StoredBarrierKeysPath is the path used for storing HSM-encrypted unseal keys
	StoredBarrierKeysPath = "core/hsm/barrier-unseal-keys"
)
View Source
const TestDeadlockDetection = ""

Variables

View Source
var (
	// ErrBarrierSealed is returned if an operation is performed on
	// a sealed barrier. No operation is expected to succeed before unsealing
	ErrBarrierSealed = errors.New("Vault is sealed")

	// ErrBarrierAlreadyInit is returned if the barrier is already
	// initialized. This prevents a re-initialization.
	ErrBarrierAlreadyInit = errors.New("Vault is already initialized")

	// ErrBarrierNotInit is returned if a non-initialized barrier
	// is attempted to be unsealed.
	ErrBarrierNotInit = errors.New("Vault is not initialized")

	// ErrBarrierInvalidKey is returned if the Unseal key is invalid
	ErrBarrierInvalidKey = errors.New("Unseal failed, invalid key")

	// ErrPlaintextTooLarge is returned if a plaintext is offered for encryption
	// that is too large to encrypt in memory
	ErrPlaintextTooLarge = errors.New("plaintext value too large")
)
View Source
var (
	ErrCannotForward          = errors.New("cannot forward request; no connection or address not known")
	ErrCannotForwardLocalOnly = errors.New("cannot forward local-only request")
)
View Source
var (
	// ErrAlreadyInit is returned if the core is already
	// initialized. This prevents a re-initialization.
	ErrAlreadyInit = errors.New("Vault is already initialized")

	// ErrNotInit is returned if a non-initialized barrier
	// is attempted to be unsealed.
	ErrNotInit = errors.New("Vault is not initialized")

	// ErrInternalError is returned when we don't want to leak
	// any information about an internal error
	ErrInternalError = errors.New("internal error")

	// ErrHANotEnabled is returned if the operation only makes sense
	// in an HA setting
	ErrHANotEnabled = errors.New("Vault is not configured for highly-available mode")

	// ErrIntrospectionNotEnabled is returned if "introspection_endpoint" is not
	// enabled in the configuration file
	ErrIntrospectionNotEnabled = errors.New("The Vault configuration must set \"introspection_endpoint\" to true to enable this endpoint")

	LastWAL               = lastWALImpl
	LastPerformanceWAL    = lastPerformanceWALImpl
	LastDRWAL             = lastDRWALImpl
	PerformanceMerkleRoot = merkleRootImpl
	DRMerkleRoot          = merkleRootImpl
	LastRemoteWAL         = lastRemoteWALImpl
	LastRemoteUpstreamWAL = lastRemoteUpstreamWALImpl
	WaitUntilWALShipped   = waitUntilWALShippedImpl

	LicenseAutoloaded = func(*Core) bool { return false }
	LicenseInitCheck  = func(*Core) error { return nil }
	LicenseSummary    = func(*Core) (*LicenseState, error) { return nil, nil }
	LicenseReload     = func(*Core) error { return nil }
)
View Source
var (
	ErrDirectoryNotConfigured   = errors.New("could not set plugin, plugin directory is not configured")
	ErrPluginNotFound           = errors.New("plugin not found in the catalog")
	ErrPluginConnectionNotFound = errors.New("plugin connection not found for client")
	ErrPluginBadType            = errors.New("unable to determine plugin type")
)
View Source
var (

	// TestingUpdateClusterAddr is used in tests to override the cluster address
	TestingUpdateClusterAddr uint32

	ErrJoinWithoutAutoloading = errors.New("attempt to join a cluster using autoloaded licenses while not using autoloading ourself")
)
View Source
var (
	// DefaultMaxRequestDuration is the amount of time we'll wait for a request
	// to complete, unless overridden on a per-handler basis
	DefaultMaxRequestDuration = 90 * time.Second

	ErrNoApplicablePolicies    = errors.New("no applicable policies")
	ErrPolicyNotExistInTypeMap = errors.New("policy does not exist in type map")
)
View Source
var DefaultNumCores = 3
View Source
var ErrInRestoreMode = errors.New("expiration manager in restore mode")
View Source
var (
	ErrInitWithoutAutoloading = errors.New("cannot initialize storage without an autoloaded license")
)
View Source
var File_vault_request_forwarding_service_proto protoreflect.FileDescriptor
View Source
var NamespaceByID func(context.Context, string, *Core) (*namespace.Namespace, error) = namespaceByID
View Source
var RequestForwarding_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "vault.RequestForwarding",
	HandlerType: (*RequestForwardingServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "ForwardRequest",
			Handler:    _RequestForwarding_ForwardRequest_Handler,
		},
		{
			MethodName: "Echo",
			Handler:    _RequestForwarding_Echo_Handler,
		},
	},
	Streams: []grpc.StreamDesc{
		{
			StreamName:    "PerformanceStandbyElectionRequest",
			Handler:       _RequestForwarding_PerformanceStandbyElectionRequest_Handler,
			ServerStreams: true,
		},
	},
	Metadata: "vault/request_forwarding_service.proto",
}

RequestForwarding_ServiceDesc is the grpc.ServiceDesc for RequestForwarding service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source
var StdAllowedHeaders = []string{
	"Content-Type",
	"X-Requested-With",
	"X-Vault-AWS-IAM-Server-ID",
	"X-Vault-MFA",
	"X-Vault-No-Request-Forwarding",
	"X-Vault-Wrap-Format",
	"X-Vault-Wrap-TTL",
	"X-Vault-Policy-Override",
	"Authorization",
	consts.AuthHeaderName,
}

Functions

func ActiveEntitiesEqual added in v1.6.2

func ActiveEntitiesEqual(active map[string]*activity.EntityRecord, test []*activity.EntityRecord) bool

ActiveEntitiesEqual checks that only the set of `test` exists in `active`

func AddTestCredentialBackend added in v0.9.0

func AddTestCredentialBackend(name string, factory logical.Factory) error

This adds a credential backend for the test core. This needs to be invoked before the test core is created.

func AddTestLogicalBackend added in v0.3.0

func AddTestLogicalBackend(name string, factory logical.Factory) error

This adds a logical backend for the test core. This needs to be invoked before the test core is created.

func CubbyholeBackendFactory added in v0.3.0

func CubbyholeBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

CubbyholeBackendFactory constructs a new cubbyhole backend

func DiagnoseCheckLicense added in v1.8.0

func DiagnoseCheckLicense(ctx context.Context, vaultCore *Core, coreConfig CoreConfig, generate bool) (bool, []string)

func GenerateListenerAddr added in v1.13.6

func GenerateListenerAddr(t testing.T, opts *TestClusterOptions, certIPs []net.IP) (*net.TCPAddr, []net.IP)

func GenerateRandBytes added in v0.5.0

func GenerateRandBytes(length int) ([]byte, error)

func GenerateTestLicenseKeys added in v1.8.0

func GenerateTestLicenseKeys() (ed25519.PublicKey, ed25519.PrivateKey, error)

func IsBatchToken added in v1.10.0

func IsBatchToken(token string) bool

func IsFatalError added in v1.0.3

func IsFatalError(err error) bool

IsFatalError returns true if the given error is a fatal error.

func IsJWT added in v1.10.0

func IsJWT(token string) bool

func IsSSCToken added in v1.10.0

func IsSSCToken(token string) bool

func IsServiceToken added in v1.10.0

func IsServiceToken(token string) bool

func IsWrappingToken added in v1.8.0

func IsWrappingToken(te *logical.TokenEntry) bool

func LeaseSwitchedPassthroughBackend added in v0.3.0

func LeaseSwitchedPassthroughBackend(ctx context.Context, conf *logical.BackendConfig, revoke revokeFunc) (logical.Backend, error)

LeaseSwitchedPassthroughBackend returns a PassthroughBackend with leases switched on or off

func LeasedPassthroughBackendFactory added in v0.3.0

func LeasedPassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

LeasedPassthroughBackendFactory returns a PassthroughBackend with leases switched on

func NewAutoSeal added in v1.0.0

func NewAutoSeal(lowLevel *seal.Access) (*autoSeal, error)

func NewDelegateForCore added in v1.13.3

func NewDelegateForCore(c *Core) *raft.Delegate

NewDelegateForCore creates a raft.Delegate for the specified core using its backend.

func NewRequestForwardingHandler added in v1.1.0

func NewRequestForwardingHandler(c *Core, fws *http2.Server, perfStandbySlots chan struct{}, perfStandbyRepCluster *replication.Cluster) (*requestForwardingHandler, error)

NewRequestForwardingHandler creates a cluster handler for use with request forwarding.

func NewSealUnwrapper added in v0.9.4

func NewSealUnwrapper(underlying physical.Backend, logger log.Logger) physical.Backend

NewSealUnwrapper creates a new seal unwrapper

func NoopBackendFactory added in v1.1.4

func NoopBackendFactory(_ context.Context, _ *logical.BackendConfig) (logical.Backend, error)

func NoopBackendRollbackErrFactory added in v1.12.10

func NoopBackendRollbackErrFactory(_ context.Context, _ *logical.BackendConfig) (logical.Backend, error)

func PassthroughBackendFactory

func PassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

PassthroughBackendFactory returns a PassthroughBackend with leases switched off

func RandStringBytes added in v1.9.0

func RandStringBytes(n int) string

func RegisterRequestForwardingServer added in v0.6.1

func RegisterRequestForwardingServer(s grpc.ServiceRegistrar, srv RequestForwardingServer)

func SetReplicationFailureMode added in v0.11.2

func SetReplicationFailureMode(core *TestClusterCore, mode uint32)

func SetupMFAMemDB added in v1.10.3

func SetupMFAMemDB(schemaFuncs []func() *memdb.TableSchema) (*memdb.MemDB, error)

func SetupMetrics added in v1.11.12

func SetupMetrics(conf *CoreConfig) *metrics.InmemSink

func TestAddTestPlugin added in v0.7.1

func TestAddTestPlugin(t testing.T, c *Core, name string, pluginType consts.PluginType, version string, testFunc string, env []string, tempDir string)

TestAddTestPlugin registers the testFunc as part of the plugin command to the plugin catalog. If provided, uses tmpDir as the plugin directory. NB: The test func you pass in MUST be in the same package as the parent test, or the test func won't be compiled into the test binary being run and the output will be something like: stderr (ignored by go-plugin): "testing: warning: no tests to run" stdout: "PASS"

func TestCoreInit

func TestCoreInit(t testing.T, core *Core) ([][]byte, string)

TestCoreInit initializes the core with a single key, and returns the key that must be used to unseal the core and a root token.

func TestCoreInitClusterWrapperSetup added in v0.6.1

func TestCoreInitClusterWrapperSetup(t testing.T, core *Core, handler http.Handler) ([][]byte, [][]byte, string)

func TestCoreSeal added in v1.12.0

func TestCoreSeal(core *Core) error

func TestCoreUnseal added in v0.6.1

func TestCoreUnseal(core *Core, key []byte) (bool, error)

func TestDynamicSystemView added in v0.7.1

func TestDynamicSystemView(c *Core, ns *namespace.Namespace) *dynamicSystemView

func TestInitUnsealCore added in v1.12.0

func TestInitUnsealCore(t testing.T, core *Core) (string, [][]byte)

func TestKeyCopy

func TestKeyCopy(key []byte) []byte

TestKeyCopy is a silly little function to just copy the key so that it can be used with Unseal easily.

func TestPluginClientConfig added in v1.12.0

func TestPluginClientConfig(c *Core, pluginType consts.PluginType, pluginName string) pluginutil.PluginClientConfig

func TestRunTestPlugin added in v1.12.0

func TestRunTestPlugin(t testing.T, c *Core, pluginType consts.PluginType, pluginName string) *pluginClient

TestRunTestPlugin runs the testFunc which has already been registered to the plugin catalog and returns a pluginClient. This can be called after calling TestAddTestPlugin.

func TestWaitActive added in v0.6.1

func TestWaitActive(t testing.T, core *Core)

func TestWaitActiveForwardingReady added in v1.6.0

func TestWaitActiveForwardingReady(t testing.T, core *Core)

func TestWaitActiveWithError added in v0.10.2

func TestWaitActiveWithError(core *Core) error

func WriteToStorage added in v1.6.2

func WriteToStorage(t *testing.T, c *Core, path string, data []byte)

WriteToStorage is used to put entity data in storage `path` should be the complete path (not relative to the view)

Types

type ACL

type ACL struct {
	// contains filtered or unexported fields
}

ACL is used to wrap a set of policies to provide an efficient interface for access control.

func NewACL

func NewACL(ctx context.Context, policies []*Policy) (*ACL, error)

NewACL is used to construct a policy based ACL from a set of policies.

func (*ACL) AllowOperation

func (a *ACL) AllowOperation(ctx context.Context, req *logical.Request, capCheckOnly bool) (ret *ACLResults)

AllowOperation is used to check if the given operation is permitted.

func (*ACL) Capabilities added in v0.5.2

func (a *ACL) Capabilities(ctx context.Context, path string) (pathCapabilities []string)

func (*ACL) CheckAllowedFromNonExactPaths added in v1.1.1

func (a *ACL) CheckAllowedFromNonExactPaths(path string, bareMount bool) *ACLPermissions

CheckAllowedFromNonExactPaths returns permissions corresponding to a matching path with wildcards/globs. If bareMount is true, the path should correspond to a mount prefix, and what is returned is either a non-nil set of permissions from some allowed path underneath the mount (for use in mount access checks), or nil indicating no non-deny permissions were found.

type ACLPermissions added in v0.9.0

type ACLPermissions struct {
	CapabilitiesBitmap  uint32
	MinWrappingTTL      time.Duration
	MaxWrappingTTL      time.Duration
	AllowedParameters   map[string][]interface{}
	DeniedParameters    map[string][]interface{}
	RequiredParameters  []string
	MFAMethods          []string
	ControlGroup        *ControlGroup
	GrantingPoliciesMap map[uint32][]logical.PolicyInfo
}

func (*ACLPermissions) Clone added in v0.9.0

func (p *ACLPermissions) Clone() (*ACLPermissions, error)

type ACLResults added in v0.9.0

type ACLResults struct {
	Allowed            bool
	RootPrivs          bool
	IsRoot             bool
	MFAMethods         []string
	ControlGroup       *ControlGroup
	CapabilitiesBitmap uint32
	GrantingPolicies   []logical.PolicyInfo
}

type AESGCMBarrier

type AESGCMBarrier struct {
	UnaccountedEncryptions *atomic.Int64
	// Used only for testing
	RemoteEncryptions *atomic.Int64
	// contains filtered or unexported fields
}

AESGCMBarrier is a SecurityBarrier implementation that uses the AES cipher core and the Galois Counter Mode block mode. It defaults to the golang NONCE default value of 12 and a key size of 256 bit. AES-GCM is high performance, and provides both confidentiality and integrity.

func NewAESGCMBarrier

func NewAESGCMBarrier(physical physical.Backend) (*AESGCMBarrier, error)

NewAESGCMBarrier is used to construct a new barrier that uses the provided physical backend for storage.

func (*AESGCMBarrier) ActiveKeyInfo added in v0.2.0

func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error)

ActiveKeyInfo is used to inform details about the active key

func (*AESGCMBarrier) AddRemoteEncryptions added in v1.7.0

func (b *AESGCMBarrier) AddRemoteEncryptions(encryptions int64)

func (*AESGCMBarrier) CheckBarrierAutoRotate added in v1.7.0

func (b *AESGCMBarrier) CheckBarrierAutoRotate(ctx context.Context) (string, error)

func (*AESGCMBarrier) CheckUpgrade added in v0.2.0

func (b *AESGCMBarrier) CheckUpgrade(ctx context.Context) (bool, uint32, error)

CheckUpgrade looks for an upgrade to the current term and installs it

func (*AESGCMBarrier) ConsumeEncryptionCount added in v1.7.0

func (b *AESGCMBarrier) ConsumeEncryptionCount(consumer func(int64) error) error

func (*AESGCMBarrier) CreateUpgrade added in v0.2.0

func (b *AESGCMBarrier) CreateUpgrade(ctx context.Context, term uint32) error

CreateUpgrade creates an upgrade path key to the given term from the previous term

func (*AESGCMBarrier) Decrypt added in v0.7.0

func (b *AESGCMBarrier) Decrypt(_ context.Context, key string, ciphertext []byte) ([]byte, error)

Decrypt is used to decrypt in-memory for the BarrierEncryptor interface

func (*AESGCMBarrier) Delete

func (b *AESGCMBarrier) Delete(ctx context.Context, key string) error

Delete is used to permanently delete an entry

func (*AESGCMBarrier) DestroyUpgrade added in v0.2.0

func (b *AESGCMBarrier) DestroyUpgrade(ctx context.Context, term uint32) error

DestroyUpgrade destroys the upgrade path key to the given term

func (*AESGCMBarrier) Encrypt added in v0.7.0

func (b *AESGCMBarrier) Encrypt(ctx context.Context, key string, plaintext []byte) ([]byte, error)

Encrypt is used to encrypt in-memory for the BarrierEncryptor interface

func (*AESGCMBarrier) GenerateKey

func (b *AESGCMBarrier) GenerateKey(reader io.Reader) ([]byte, error)

GenerateKey is used to generate a new key

func (*AESGCMBarrier) Get

Get is used to fetch an entry

func (*AESGCMBarrier) Initialize

func (b *AESGCMBarrier) Initialize(ctx context.Context, key, sealKey []byte, reader io.Reader) error

Initialize works only if the barrier has not been initialized and makes use of the given root key.

func (*AESGCMBarrier) Initialized

func (b *AESGCMBarrier) Initialized(ctx context.Context) (bool, error)

Initialized checks if the barrier has been initialized and has a root key set.

func (*AESGCMBarrier) KeyLength

func (b *AESGCMBarrier) KeyLength() (int, int)

KeyLength is used to sanity check a key

func (*AESGCMBarrier) Keyring added in v0.7.0

func (b *AESGCMBarrier) Keyring() (*Keyring, error)

func (*AESGCMBarrier) List

func (b *AESGCMBarrier) List(ctx context.Context, prefix string) ([]string, error)

List is used ot list all the keys under a given prefix, up to the next prefix.

func (*AESGCMBarrier) Put

func (b *AESGCMBarrier) Put(ctx context.Context, entry *logical.StorageEntry) error

Put is used to insert or update an entry

func (*AESGCMBarrier) Rekey added in v0.2.0

func (b *AESGCMBarrier) Rekey(ctx context.Context, key []byte) error

Rekey is used to change the root key used to protect the keyring

func (*AESGCMBarrier) ReloadKeyring added in v0.2.0

func (b *AESGCMBarrier) ReloadKeyring(ctx context.Context) error

ReloadKeyring is used to re-read the underlying keyring. This is used for HA deployments to ensure the latest keyring is present in the leader.

func (*AESGCMBarrier) ReloadRootKey added in v1.10.0

func (b *AESGCMBarrier) ReloadRootKey(ctx context.Context) error

ReloadRootKey is used to re-read the underlying root key. This is used for HA deployments to ensure the latest root key is available for keyring reloading.

func (*AESGCMBarrier) Rotate added in v0.2.0

func (b *AESGCMBarrier) Rotate(ctx context.Context, randomSource io.Reader) (uint32, error)

Rotate is used to create a new encryption key. All future writes should use the new key, while old values should still be decryptable.

func (*AESGCMBarrier) RotationConfig added in v1.7.0

func (b *AESGCMBarrier) RotationConfig() (kc KeyRotationConfig, err error)

func (*AESGCMBarrier) Seal

func (b *AESGCMBarrier) Seal() error

Seal is used to re-seal the barrier. This requires the barrier to be unsealed again to perform any further operations.

func (*AESGCMBarrier) Sealed

func (b *AESGCMBarrier) Sealed() (bool, error)

Sealed checks if the barrier has been unlocked yet. The Barrier is not expected to be able to perform any CRUD until it is unsealed.

func (*AESGCMBarrier) SetRootKey added in v1.10.0

func (b *AESGCMBarrier) SetRootKey(key []byte) error

SetRootKey updates the keyring's in-memory root key but does not persist anything to storage

func (*AESGCMBarrier) SetRotationConfig added in v1.7.0

func (b *AESGCMBarrier) SetRotationConfig(ctx context.Context, rotConfig KeyRotationConfig) error

func (*AESGCMBarrier) TotalLocalEncryptions added in v1.7.0

func (b *AESGCMBarrier) TotalLocalEncryptions() int64

UnaccountedEncryptions returns the number of encryptions made on the local instance only for the current key term

func (*AESGCMBarrier) Unseal

func (b *AESGCMBarrier) Unseal(ctx context.Context, key []byte) error

Unseal is used to provide the root key which permits the barrier to be unsealed. If the key is not correct, the barrier remains sealed.

func (*AESGCMBarrier) VerifyRoot added in v1.10.0

func (b *AESGCMBarrier) VerifyRoot(key []byte) error

VerifyRoot is used to check if the given key matches the root key

type APIMountConfig added in v0.8.0

type APIMountConfig struct {
	DefaultLeaseTTL           string                `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL               string                `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	ForceNoCache              bool                  `json:"force_no_cache" structs:"force_no_cache" mapstructure:"force_no_cache"`
	AuditNonHMACRequestKeys   []string              `json:"audit_non_hmac_request_keys,omitempty" structs:"audit_non_hmac_request_keys" mapstructure:"audit_non_hmac_request_keys"`
	AuditNonHMACResponseKeys  []string              `` /* 128-byte string literal not displayed */
	ListingVisibility         ListingVisibilityType `json:"listing_visibility,omitempty" structs:"listing_visibility" mapstructure:"listing_visibility"`
	PassthroughRequestHeaders []string              `json:"passthrough_request_headers,omitempty" structs:"passthrough_request_headers" mapstructure:"passthrough_request_headers"`
	AllowedResponseHeaders    []string              `json:"allowed_response_headers,omitempty" structs:"allowed_response_headers" mapstructure:"allowed_response_headers"`
	TokenType                 string                `json:"token_type" structs:"token_type" mapstructure:"token_type"`
	AllowedManagedKeys        []string              `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
	UserLockoutConfig         *UserLockoutConfig    `json:"user_lockout_config,omitempty" mapstructure:"user_lockout_config"`
	PluginVersion             string                `json:"plugin_version,omitempty" mapstructure:"plugin_version"`

	// PluginName is the name of the plugin registered in the catalog.
	//
	// Deprecated: MountEntry.Type should be used instead for Vault 1.0.0 and beyond.
	PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
}

APIMountConfig is an embedded struct of api.MountConfigInput

type APIUserLockoutConfig added in v1.13.0

type APIUserLockoutConfig struct {
	LockoutThreshold            string `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
	LockoutDuration             string `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
	LockoutCounterResetDuration string `` /* 134-byte string literal not displayed */
	DisableLockout              *bool  `json:"lockout_disable,omitempty" structs:"lockout_disable" mapstructure:"lockout_disable"`
}

type ActiveEntities added in v1.3.0

type ActiveEntities struct {
	// Entities contains information about the number of active entities.
	Entities EntityCounter `json:"entities"`
}

ActiveEntities contains the number of active entities.

type ActiveTokens added in v1.3.0

type ActiveTokens struct {
	// ServiceTokens contains information about the number of active service
	// tokens.
	ServiceTokens TokenCounter `json:"service_tokens"`
}

ActiveTokens contains the number of active tokens.

type ActivityIntentLog added in v1.6.0

type ActivityIntentLog struct {
	PreviousMonth int64 `json:"previous_month"`
	NextMonth     int64 `json:"next_month"`
}

type ActivityLog added in v1.6.0

type ActivityLog struct {

	// CensusReportDone is a channel used to signal tests upon successful calls
	// to (CensusReporter).Write() in CensusReport.
	CensusReportDone chan bool

	// CensusReportInterval is the testing configuration for time between
	// Write() calls initiated in CensusReport.
	CensusReportInterval time.Duration
	// contains filtered or unexported fields
}

ActivityLog tracks unique entity counts and non-entity token counts. It handles assembling log fragments (and sending them to the active node), writing log segments, and precomputing queries.

func NewActivityLog added in v1.6.0

func NewActivityLog(core *Core, logger log.Logger, view *BarrierView, metrics metricsutil.Metrics) (*ActivityLog, error)

NewActivityLog creates an activity log.

func (*ActivityLog) AddClientToFragment added in v1.9.0

func (a *ActivityLog) AddClientToFragment(clientID string, namespaceID string, timestamp int64, isTWE bool, mountAccessor string)

AddClientToFragment checks a client ID for uniqueness and if not already present, adds it to the current fragment. The timestamp is a Unix timestamp *without* nanoseconds, as that is what token.CreationTime uses.

func (*ActivityLog) AddEntityToFragment added in v1.6.0

func (a *ActivityLog) AddEntityToFragment(entityID string, namespaceID string, timestamp int64)

func (*ActivityLog) AddTokenToFragment added in v1.6.0

func (a *ActivityLog) AddTokenToFragment(namespaceID string)

NOTE: AddTokenToFragment is deprecated and can no longer be used, except for testing backward compatibility. Please use AddClientToFragment instead.

func (*ActivityLog) CensusReport added in v1.11.12

func (a *ActivityLog) CensusReport(context.Context, CensusReporter, time.Time)

CensusReport is a no-op on OSS

func (*ActivityLog) CreateOrFetchHyperlogLog added in v1.11.12

func (a *ActivityLog) CreateOrFetchHyperlogLog(ctx context.Context, startTime time.Time) (*hyperloglog.Sketch, error)

CreateOrFetchHyperlogLog creates a new hyperlogLog for each startTime (month) if it does not exist in storage. hyperlogLog is used here to solve count-distinct problem i.e, to count the number of distinct clients In activity log, hyperloglog is a sketch containing clientID's in a given month

func (*ActivityLog) DefaultStartTime added in v1.6.0

func (a *ActivityLog) DefaultStartTime(endTime time.Time) time.Time

func (*ActivityLog) ExpectCurrentSegmentRefreshed added in v1.6.2

func (a *ActivityLog) ExpectCurrentSegmentRefreshed(t *testing.T, expectedStart int64, verifyTimeNotZero bool)

ExpectCurrentSegmentRefreshed verifies that the current segment has been refreshed non-nil empty components and updated with the `expectedStart` timestamp Note: if `verifyTimeNotZero` is true, ignore `expectedStart` and just make sure the timestamp isn't 0

func (*ActivityLog) GetCurrentEntities added in v1.6.2

func (a *ActivityLog) GetCurrentEntities() *activity.EntityActivityLog

GetCurrentEntities returns the current entity activity log

func (*ActivityLog) GetEnabled added in v1.6.2

func (a *ActivityLog) GetEnabled() bool

GetEnabled returns the enabled flag on an activity log

func (*ActivityLog) GetEntitySequenceNumber added in v1.6.2

func (a *ActivityLog) GetEntitySequenceNumber() uint64

GetEntitySequenceNumber returns the current entity sequence number

func (*ActivityLog) GetStartTimestamp added in v1.6.2

func (a *ActivityLog) GetStartTimestamp() int64

GetStartTimestamp returns the start timestamp on an activity log

func (*ActivityLog) GetStoredTokenCountByNamespaceID added in v1.9.0

func (a *ActivityLog) GetStoredTokenCountByNamespaceID() map[string]uint64

GetStoredTokenCountByNamespaceID returns the count of tokens by namespace ID

func (*ActivityLog) HandleEndOfMonth added in v1.6.0

func (a *ActivityLog) HandleEndOfMonth(ctx context.Context, currentTime time.Time) error

Handle rotation to end-of-month currentTime is an argument for unit-testing purposes

func (*ActivityLog) HandleTokenUsage added in v1.9.0

func (a *ActivityLog) HandleTokenUsage(ctx context.Context, entry *logical.TokenEntry, clientID string, isTWE bool) error

HandleTokenUsage adds the TokenEntry to the current fragment of the activity log This currently occurs on token usage only.

func (*ActivityLog) NewSegmentFileReader added in v1.11.10

func (a *ActivityLog) NewSegmentFileReader(ctx context.Context, startTime time.Time) (SegmentReader, error)

func (*ActivityLog) PartialMonthMetrics added in v1.7.0

func (a *ActivityLog) PartialMonthMetrics(ctx context.Context) ([]metricsutil.GaugeLabelValues, error)

Periodic report of number of active entities, with the current month. We don't break this down by namespace because that would require going to storage (that information is not currently stored in memory.)

func (*ActivityLog) SetConfig added in v1.6.0

func (a *ActivityLog) SetConfig(ctx context.Context, config activityConfig)

This version reacts to user changes

func (*ActivityLog) SetConfigInit added in v1.6.0

func (a *ActivityLog) SetConfigInit(config activityConfig)

This version is used during construction

func (*ActivityLog) SetConfigStandby added in v1.6.0

func (a *ActivityLog) SetConfigStandby(ctx context.Context, config activityConfig)

update the enable flag and reset the current log

func (*ActivityLog) SetEnable added in v1.6.2

func (a *ActivityLog) SetEnable(enabled bool)

SetEnable sets the enabled flag on the activity log

func (*ActivityLog) SetStandbyEnable added in v1.6.2

func (a *ActivityLog) SetStandbyEnable(ctx context.Context, enabled bool)

SetStandbyEnable sets enabled on a performance standby (using config)

func (*ActivityLog) SetStartTimestamp added in v1.6.2

func (a *ActivityLog) SetStartTimestamp(timestamp int64)

SetStartTimestamp sets the start timestamp on an activity log

func (*ActivityLog) StartOfNextMonth added in v1.6.0

func (a *ActivityLog) StartOfNextMonth() time.Time

func (*ActivityLog) StoreHyperlogLog added in v1.11.12

func (a *ActivityLog) StoreHyperlogLog(ctx context.Context, startTime time.Time, newHll *hyperloglog.Sketch) error

StoreHyperlogLog stores the hyperloglog (a sketch containing client IDs) for startTime (month) in storage

func (*ActivityLog) WaitForDeletion added in v1.7.0

func (a *ActivityLog) WaitForDeletion()

func (*ActivityLog) WalkEntitySegments added in v1.6.0

func (a *ActivityLog) WalkEntitySegments(ctx context.Context, startTime time.Time, hll *hyperloglog.Sketch, walkFn func(*activity.EntityActivityLog, time.Time, *hyperloglog.Sketch) error) error

WalkEntitySegments loads each of the entity segments for a particular start time

func (*ActivityLog) WalkTokenSegments added in v1.6.0

func (a *ActivityLog) WalkTokenSegments(ctx context.Context,
	startTime time.Time,
	walkFn func(*activity.TokenCount),
) error

WalkTokenSegments loads each of the token segments (expected 1) for a particular start time

type ActivityLogCoreConfig added in v1.6.0

type ActivityLogCoreConfig struct {
	// Enable activity log even if the feature flag not set
	ForceEnable bool

	DisableFragmentWorker bool

	// Do not start timers to send or persist fragments.
	DisableTimers bool

	// CensusReportInterval is the testing configuration for time
	CensusReportInterval time.Duration

	// MinimumRetentionMonths defines the minimum value for retention
	MinimumRetentionMonths int

	// Clock holds a custom clock to modify time.Now, time.Ticker, time.Timer.
	// If nil, the default functions from the time package are used
	Clock timeutil.Clock
}

These non-persistent configuration options allow us to disable parts of the implementation for integration testing. The default values should turn everything on.

type AuditBroker

type AuditBroker struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

AuditBroker is used to provide a single ingest interface to auditable events given that multiple backends may be configured.

func NewAuditBroker

func NewAuditBroker(log log.Logger) *AuditBroker

NewAuditBroker creates a new audit broker

func (*AuditBroker) Deregister

func (a *AuditBroker) Deregister(name string)

Deregister is used to remove an audit backend from the broker

func (*AuditBroker) GetHash added in v0.4.0

func (a *AuditBroker) GetHash(ctx context.Context, name string, input string) (string, error)

GetHash returns a hash using the salt of the given backend

func (*AuditBroker) Invalidate added in v0.7.3

func (a *AuditBroker) Invalidate(ctx context.Context, key string)

func (*AuditBroker) IsLocal added in v0.11.2

func (a *AuditBroker) IsLocal(name string) (bool, error)

IsLocal is used to check if a given audit backend is registered

func (*AuditBroker) IsRegistered

func (a *AuditBroker) IsRegistered(name string) bool

IsRegistered is used to check if a given audit backend is registered

func (*AuditBroker) LogRequest

func (a *AuditBroker) LogRequest(ctx context.Context, in *logical.LogInput, headersConfig *AuditedHeadersConfig) (ret error)

LogRequest is used to ensure all the audit backends have an opportunity to log the given request and that *at least one* succeeds.

func (*AuditBroker) LogResponse

func (a *AuditBroker) LogResponse(ctx context.Context, in *logical.LogInput, headersConfig *AuditedHeadersConfig) (ret error)

LogResponse is used to ensure all the audit backends have an opportunity to log the given response and that *at least one* succeeds.

func (*AuditBroker) Register

func (a *AuditBroker) Register(name string, b audit.Backend, v *BarrierView, local bool)

Register is used to add new audit backend to the broker

type AuditLogger added in v1.4.0

type AuditLogger interface {
	AuditRequest(ctx context.Context, input *logical.LogInput) error
	AuditResponse(ctx context.Context, input *logical.LogInput) error
}

type AuditedHeadersConfig added in v0.6.5

type AuditedHeadersConfig struct {
	Headers map[string]*auditedHeaderSettings

	sync.RWMutex
	// contains filtered or unexported fields
}

AuditedHeadersConfig is used by the Audit Broker to write only approved headers to the audit logs. It uses a BarrierView to persist the settings.

func (*AuditedHeadersConfig) ApplyConfig added in v0.6.5

func (a *AuditedHeadersConfig) ApplyConfig(ctx context.Context, headers map[string][]string, hashFunc func(context.Context, string) (string, error)) (result map[string][]string, retErr error)

ApplyConfig returns a map of approved headers and their values, either hmac'ed or plaintext

type AuthResults added in v0.9.0

type AuthResults struct {
	ACLResults      *ACLResults
	SentinelResults *SentinelResults
	Allowed         bool
	RootPrivs       bool
	DeniedError     bool
	Error           *multierror.Error
}

type BarrierEncryptor added in v0.7.0

type BarrierEncryptor interface {
	Encrypt(ctx context.Context, key string, plaintext []byte) ([]byte, error)
	Decrypt(ctx context.Context, key string, ciphertext []byte) ([]byte, error)
}

BarrierEncryptor is the in memory only interface that does not actually use the underlying barrier. It is used for lower level modules like the Write-Ahead-Log and Merkle index to allow them to use the barrier.

type BarrierEncryptorAccess added in v0.9.0

type BarrierEncryptorAccess struct {
	// contains filtered or unexported fields
}

BarrierEncryptorAccess is a wrapper around BarrierEncryptor that allows Core to expose its barrier encrypt/decrypt operations through BarrierEncryptorAccess() while restricting the ability to modify Core.barrier itself.

func NewBarrierEncryptorAccess added in v0.9.0

func NewBarrierEncryptorAccess(barrierEncryptor BarrierEncryptor) *BarrierEncryptorAccess

func (*BarrierEncryptorAccess) Decrypt added in v0.9.0

func (b *BarrierEncryptorAccess) Decrypt(ctx context.Context, key string, ciphertext []byte) ([]byte, error)

func (*BarrierEncryptorAccess) Encrypt added in v0.9.0

func (b *BarrierEncryptorAccess) Encrypt(ctx context.Context, key string, plaintext []byte) ([]byte, error)

type BarrierStorage

type BarrierStorage interface {
	// Put is used to insert or update an entry
	Put(ctx context.Context, entry *logical.StorageEntry) error

	// Get is used to fetch an entry
	Get(ctx context.Context, key string) (*logical.StorageEntry, error)

	// Delete is used to permanently delete an entry
	Delete(ctx context.Context, key string) error

	// List is used ot list all the keys under a given
	// prefix, up to the next prefix.
	List(ctx context.Context, prefix string) ([]string, error)
}

BarrierStorage is the storage only interface required for a Barrier.

type BarrierView

type BarrierView struct {
	// contains filtered or unexported fields
}

BarrierView wraps a SecurityBarrier and ensures all access is automatically prefixed. This is used to prevent anyone with access to the view to access any data in the durable storage outside of their prefix. Conceptually this is like a "chroot" into the barrier.

BarrierView implements logical.Storage so it can be passed in as the durable storage mechanism for logical views.

func NewBarrierView

func NewBarrierView(barrier logical.Storage, prefix string) *BarrierView

NewBarrierView takes an underlying security barrier and returns a view of it that can only operate with the given prefix.

func (*BarrierView) Delete

func (v *BarrierView) Delete(ctx context.Context, key string) error

logical.Storage impl.

func (*BarrierView) Get

func (*BarrierView) List

func (v *BarrierView) List(ctx context.Context, prefix string) ([]string, error)

func (*BarrierView) Prefix added in v1.0.3

func (v *BarrierView) Prefix() string

func (*BarrierView) Put

func (v *BarrierView) Put(ctx context.Context, entry *logical.StorageEntry) error

Put differs from List/Get because it checks read-only errors

func (*BarrierView) SubView

func (v *BarrierView) SubView(prefix string) *BarrierView

SubView constructs a nested sub-view using the given prefix

type BuiltinRegistry added in v1.0.0

type BuiltinRegistry interface {
	Contains(name string, pluginType consts.PluginType) bool
	Get(name string, pluginType consts.PluginType) (func() (interface{}, error), bool)
	Keys(pluginType consts.PluginType) []string
	DeprecationStatus(name string, pluginType consts.PluginType) (consts.DeprecationStatus, bool)
	IsBuiltinEntPlugin(name string, pluginType consts.PluginType) bool
}

BuiltinRegistry is an interface that allows the "vault" package to use the registry of builtin plugins without getting an import cycle. It also allows for mocking the registry easily.

type CORSConfig added in v0.8.0

type CORSConfig struct {
	sync.RWMutex `json:"-"`

	Enabled        *uint32  `json:"enabled"`
	AllowedOrigins []string `json:"allowed_origins,omitempty"`
	AllowedHeaders []string `json:"allowed_headers,omitempty"`
	// contains filtered or unexported fields
}

CORSConfig stores the state of the CORS configuration.

func (*CORSConfig) Disable added in v0.8.0

func (c *CORSConfig) Disable(ctx context.Context) error

Disable sets CORS to disabled and clears the allowed origins & headers.

func (*CORSConfig) Enable added in v0.8.0

func (c *CORSConfig) Enable(ctx context.Context, urls []string, headers []string) error

Enable takes either a '*' or a comma-separated list of URLs that can make cross-origin requests to Vault.

func (*CORSConfig) IsEnabled added in v0.8.0

func (c *CORSConfig) IsEnabled() bool

IsEnabled returns the value of CORSConfig.isEnabled

func (*CORSConfig) IsValidOrigin added in v0.8.0

func (c *CORSConfig) IsValidOrigin(origin string) bool

IsValidOrigin determines if the origin of the request is allowed to make cross-origin requests based on the CORSConfig.

type CensusReporter added in v1.11.12

type CensusReporter interface{}

CensusAgent is a stub for OSS

type ClientKey added in v0.11.2

type ClientKey struct {
	Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
	X    []byte `protobuf:"bytes,2,opt,name=x,proto3" json:"x,omitempty"`
	Y    []byte `protobuf:"bytes,3,opt,name=y,proto3" json:"y,omitempty"`
	D    []byte `protobuf:"bytes,4,opt,name=d,proto3" json:"d,omitempty"`
	// contains filtered or unexported fields
}

func (*ClientKey) Descriptor deprecated added in v0.11.2

func (*ClientKey) Descriptor() ([]byte, []int)

Deprecated: Use ClientKey.ProtoReflect.Descriptor instead.

func (*ClientKey) GetD added in v0.11.2

func (x *ClientKey) GetD() []byte

func (*ClientKey) GetType added in v0.11.2

func (x *ClientKey) GetType() string

func (*ClientKey) GetX added in v0.11.2

func (x *ClientKey) GetX() []byte

func (*ClientKey) GetY added in v0.11.2

func (x *ClientKey) GetY() []byte

func (*ClientKey) ProtoMessage added in v0.11.2

func (*ClientKey) ProtoMessage()

func (*ClientKey) ProtoReflect added in v1.5.0

func (x *ClientKey) ProtoReflect() protoreflect.Message

func (*ClientKey) Reset added in v0.11.2

func (x *ClientKey) Reset()

func (*ClientKey) String added in v0.11.2

func (x *ClientKey) String() string

type Cluster added in v0.6.1

type Cluster struct {
	// Name of the cluster
	Name string `json:"name" structs:"name" mapstructure:"name"`

	// Identifier of the cluster
	ID string `json:"id" structs:"id" mapstructure:"id"`
}

Structure representing the storage entry that holds cluster information

type ClusterLeaderParams added in v1.0.3

type ClusterLeaderParams struct {
	LeaderUUID         string
	LeaderRedirectAddr string
	LeaderClusterAddr  string
}

type ControlGroup added in v0.11.2

type ControlGroup struct {
	TTL     time.Duration
	Factors []*ControlGroupFactor
}

func (*ControlGroup) Clone added in v1.10.8

func (c *ControlGroup) Clone() (*ControlGroup, error)

type ControlGroupFactor added in v0.11.2

type ControlGroupFactor struct {
	Name                   string
	Identity               *IdentityFactor `hcl:"identity"`
	ControlledCapabilities []string        `hcl:"controlled_capabilities"`
}

type ControlGroupHCL added in v0.11.2

type ControlGroupHCL struct {
	TTL     interface{}                    `hcl:"ttl"`
	Factors map[string]*ControlGroupFactor `hcl:"factor"`
}

type Core

type Core struct {

	// PR1103disabled is used to test upgrade workflows: when set to true,
	// the correct behaviour for namespaced cubbyholes is disabled, so we
	// can test an upgrade to a version that includes the fixes from
	// https://github.com/hashicorp/vault-enterprise/pull/1103
	PR1103disabled bool

	IndexHeaderHMACKey uberAtomic.Value
	// contains filtered or unexported fields
}

Core is used as the central manager of Vault activity. It is the primary point of interface for API handlers and is responsible for managing the logical and physical backends, router, security barrier, and audit trails.

func CreateCore added in v1.8.0

func CreateCore(conf *CoreConfig) (*Core, error)

CreateCore conducts static validations on the Core Config and returns an uninitialized core.

func NewCore

func NewCore(conf *CoreConfig) (*Core, error)

NewCore creates, initializes and configures a Vault node (core).

func TestCore

func TestCore(t testing.T) *Core

TestCore returns a pure in-memory, uninitialized core for testing.

func TestCoreNewSeal added in v0.6.5

func TestCoreNewSeal(t testing.T) *Core

TestCoreNewSeal returns a pure in-memory, uninitialized core with the new seal configuration.

func TestCoreRaw added in v0.8.3

func TestCoreRaw(t testing.T) *Core

TestCoreRaw returns a pure in-memory, uninitialized core for testing. The raw storage endpoints are enabled with this core.

func TestCoreUI added in v0.11.2

func TestCoreUI(t testing.T, enableUI bool) *Core

func TestCoreUnsealed

func TestCoreUnsealed(t testing.T) (*Core, [][]byte, string)

TestCoreUnsealed returns a pure in-memory core that is already initialized and unsealed.

func TestCoreUnsealedBackend added in v0.7.0

func TestCoreUnsealedBackend(t testing.T, backend physical.Backend) (*Core, [][]byte, string)

func TestCoreUnsealedRaw added in v0.8.3

func TestCoreUnsealedRaw(t testing.T) (*Core, [][]byte, string)

TestCoreUnsealedRaw returns a pure in-memory core that is already initialized, unsealed, and with raw endpoints enabled.

func TestCoreUnsealedWithConfig added in v0.11.2

func TestCoreUnsealedWithConfig(t testing.T, conf *CoreConfig) (*Core, [][]byte, string)

TestCoreUnsealedWithConfig returns a pure in-memory core that is already initialized, unsealed, with the any provided core config values overridden.

func TestCoreUnsealedWithConfigSealOpts added in v0.9.0

func TestCoreUnsealedWithConfigSealOpts(t testing.T, barrierConf, recoveryConf *SealConfig, sealOpts *seal.TestSealOpts) (*Core, [][]byte, [][]byte, string)

func TestCoreUnsealedWithConfigs added in v0.6.5

func TestCoreUnsealedWithConfigs(t testing.T, barrierConf, recoveryConf *SealConfig) (*Core, [][]byte, [][]byte, string)

func TestCoreUnsealedWithMetrics added in v1.6.0

func TestCoreUnsealedWithMetrics(t testing.T) (*Core, [][]byte, string, *metrics.InmemSink)

func TestCoreWithConfig added in v0.11.2

func TestCoreWithConfig(t testing.T, conf *CoreConfig) *Core

TestCoreWithConfig returns a pure in-memory, uninitialized core with the specified core configurations overridden for testing.

func TestCoreWithCustomResponseHeaderAndUI added in v1.9.0

func TestCoreWithCustomResponseHeaderAndUI(t testing.T, CustomResponseHeaders map[string]map[string]string, enableUI bool) (*Core, [][]byte, string)

func TestCoreWithDeadlockDetection added in v1.13.10

func TestCoreWithDeadlockDetection(t testing.T, testSeal Seal, enableRaw bool) *Core

func TestCoreWithSeal added in v0.6.0

func TestCoreWithSeal(t testing.T, testSeal Seal, enableRaw bool) *Core

TestCoreWithSeal returns a pure in-memory, uninitialized core with the specified seal for testing.

func TestCoreWithSealAndUI added in v0.11.2

func TestCoreWithSealAndUI(t testing.T, opts *CoreConfig) *Core

func TestCoreWithSealAndUINoCleanup added in v1.10.0

func TestCoreWithSealAndUINoCleanup(t testing.T, opts *CoreConfig) *Core

func (*Core) ActiveNodeReplicationState added in v0.9.2

func (c *Core) ActiveNodeReplicationState() consts.ReplicationState

func (*Core) ActiveTime added in v1.7.0

func (c *Core) ActiveTime() time.Time

func (*Core) ActivityLogInjectResponse added in v1.6.0

func (c *Core) ActivityLogInjectResponse(ctx context.Context, pq *activity.PrecomputedQuery) error

ActivityLogInjectResponse injects a precomputed query into storage for testing.

func (*Core) AddIrrevocableLease added in v1.8.0

func (c *Core) AddIrrevocableLease(ctx context.Context, pathPrefix string) (*basicLeaseTestInfo, error)

add an irrevocable lease for test purposes returns the lease ID and expire time

func (*Core) AddLogger added in v0.11.1

func (c *Core) AddLogger(logger log.Logger)

func (*Core) AllowForwardingViaHeader added in v1.7.0

func (c *Core) AllowForwardingViaHeader() bool

func (*Core) ApplyRateLimitQuota added in v1.5.0

func (c *Core) ApplyRateLimitQuota(ctx context.Context, req *quotas.Request) (quotas.Response, error)

ApplyRateLimitQuota checks the request against all the applicable quota rules. If the given request's path is exempt, no rate limiting will be applied.

func (*Core) AuditLogger added in v1.4.0

func (c *Core) AuditLogger() AuditLogger

func (*Core) AuditedHeadersConfig added in v0.6.5

func (c *Core) AuditedHeadersConfig() *AuditedHeadersConfig

func (*Core) BarrierEncryptorAccess added in v0.9.0

func (c *Core) BarrierEncryptorAccess() *BarrierEncryptorAccess

func (*Core) BarrierKeyLength added in v0.6.1

func (c *Core) BarrierKeyLength() (min, max int)

func (*Core) BarrierRekeyInit added in v0.6.0

func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError

BarrierRekeyInit is used to initialize the rekey settings for the barrier key

func (*Core) BarrierRekeyUpdate added in v0.6.0

func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, logical.HTTPCodedError)

BarrierRekeyUpdate is used to provide a new key part. Barrier rekey can be done with unseal keys, or recovery keys if that's supported and we are storing the barrier key.

N.B.: If recovery keys are used to rekey, the new barrier key shares are not returned.

func (*Core) BillingStart added in v1.11.12

func (c *Core) BillingStart() time.Time

func (*Core) CORSConfig added in v0.8.0

func (c *Core) CORSConfig() *CORSConfig

CORSConfig returns the current CORS configuration

func (*Core) Capabilities added in v0.5.2

func (c *Core) Capabilities(ctx context.Context, token, path string) ([]string, error)

Capabilities is used to fetch the capabilities of the given token on the given path

func (*Core) CensusAgent added in v1.11.12

func (c *Core) CensusAgent() CensusReporter

func (*Core) CensusLicensingEnabled added in v1.11.12

func (c *Core) CensusLicensingEnabled() bool

func (*Core) CheckPluginPerms added in v1.11.0

func (c *Core) CheckPluginPerms(pluginName string) (err error)

func (*Core) CheckSSCToken added in v1.10.0

func (c *Core) CheckSSCToken(ctx context.Context, token string, unauth bool, isPerfStandby bool) (string, error)

func (*Core) CheckToken added in v1.13.0

func (c *Core) CheckToken(ctx context.Context, req *logical.Request, unauth bool) (*logical.Auth, *logical.TokenEntry, error)

func (*Core) Cluster added in v0.6.1

func (c *Core) Cluster(ctx context.Context) (*Cluster, error)

Cluster fetches the details of the local cluster. This method errors out when Vault is sealed.

func (*Core) ClusterAddr added in v1.2.0

func (c *Core) ClusterAddr() string

func (*Core) ClusterID added in v1.11.12

func (c *Core) ClusterID() string

func (*Core) CreateEntity added in v1.9.0

func (c *Core) CreateEntity(ctx context.Context) (*identity.Entity, error)

func (*Core) CreateToken added in v1.9.0

func (c *Core) CreateToken(ctx context.Context, entry *logical.TokenEntry) error

CreateToken creates the given token in the core's token store.

func (*Core) DecodeMountTable added in v1.12.9

func (c *Core) DecodeMountTable(ctx context.Context, raw []byte) (*MountTable, error)

DecodeMountTable is used for testing

func (*Core) DecodeSSCToken added in v1.10.0

func (c *Core) DecodeSSCToken(token string) (string, error)

DecodeSSCToken returns the random part of an SSCToken without performing any signature or WAL checks.

func (*Core) DecodeSSCTokenInternal added in v1.10.0

func (c *Core) DecodeSSCTokenInternal(token string) (*tokens.Token, error)

DecodeSSCTokenInternal is a helper used to get the inner part of a SSC token without checking the token signature or the WAL index.

func (*Core) DetectStateLockDeadlocks added in v1.13.10

func (c *Core) DetectStateLockDeadlocks() bool

func (*Core) DetermineRoleFromLoginRequest added in v1.12.0

func (c *Core) DetermineRoleFromLoginRequest(ctx context.Context, mountPoint string, data map[string]interface{}) string

DetermineRoleFromLoginRequest will determine the role that should be applied to a quota for a given login request

func (*Core) DetermineRoleFromLoginRequestFromBytes added in v1.12.0

func (c *Core) DetermineRoleFromLoginRequestFromBytes(ctx context.Context, mountPoint string, payload []byte) string

DetermineRoleFromLoginRequestFromBytes will determine the role that should be applied to a quota for a given login request, accepting a byte payload

func (*Core) DisableSSCTokens added in v1.10.0

func (c *Core) DisableSSCTokens() bool

DisableSSCTokens determines whether to use server side consistent tokens or not.

func (*Core) EnableUndoLogs added in v1.13.9

func (c *Core) EnableUndoLogs()

func (*Core) Events added in v1.13.0

func (c *Core) Events() *eventbus.EventBus

Events returns a reference to the common event bus for sending and subscribint to events.

func (*Core) ExistCustomResponseHeader added in v1.9.0

func (c *Core) ExistCustomResponseHeader(header string) bool

ExistCustomResponseHeader checks if a custom header is configured in any listener's stanza

func (*Core) Features added in v0.11.2

func (c *Core) Features() license.Features

func (*Core) FetchLeaseCountToRevoke added in v1.8.0

func (c *Core) FetchLeaseCountToRevoke() int

func (*Core) FinalizeInFlightReqData added in v1.10.0

func (c *Core) FinalizeInFlightReqData(reqID string, statusCode int)

FinalizeInFlightReqData is going log the completed request if the corresponding server config option is enabled. It also removes the request from the inFlightReqMap and decrement the number of in-flight requests by one.

func (*Core) FindNewestVersionTimestamp added in v1.10.0

func (c *Core) FindNewestVersionTimestamp() (string, time.Time, error)

func (*Core) FindOldestVersionTimestamp added in v1.9.0

func (c *Core) FindOldestVersionTimestamp() (string, time.Time, error)

FindOldestVersionTimestamp searches for the vault version with the oldest upgrade timestamp from storage. The earliest version this can be is 1.9.0.

func (*Core) ForwardRequest added in v0.6.1

func (c *Core) ForwardRequest(req *http.Request) (int, http.Header, []byte, error)

ForwardRequest forwards a given request to the active node and returns the response.

func (*Core) ForwardToActive added in v1.10.0

func (c *Core) ForwardToActive() string

func (*Core) GenerateRootCancel added in v0.5.0

func (c *Core) GenerateRootCancel() error

GenerateRootCancel is used to cancel an in-progress root generation

func (*Core) GenerateRootConfiguration added in v0.5.0

func (c *Core) GenerateRootConfiguration() (*GenerateRootConfig, error)

GenerateRootConfiguration is used to read the root generation configuration It stubbornly refuses to return the OTP if one is there.

func (*Core) GenerateRootInit added in v0.5.0

func (c *Core) GenerateRootInit(otp, pgpKey string, strategy GenerateRootStrategy) error

GenerateRootInit is used to initialize the root generation settings

func (*Core) GenerateRootProgress added in v0.5.0

func (c *Core) GenerateRootProgress() (int, error)

GenerateRootProgress is used to return the root generation progress (num shares)

func (*Core) GenerateRootUpdate added in v0.5.0

func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string, strategy GenerateRootStrategy) (*GenerateRootResult, error)

GenerateRootUpdate is used to provide a new key part

func (*Core) GetActiveClients added in v1.9.0

func (c *Core) GetActiveClients() map[string]*activity.EntityRecord

GetActiveClients returns the in-memory partialMonthClientTracker from an activity log.

func (*Core) GetActivityLog added in v1.7.0

func (c *Core) GetActivityLog() *ActivityLog

GetActivityLog returns a pointer to the (private) activity log on a core Note: you must do the usual locking scheme when modifying the ActivityLog

func (*Core) GetContext added in v0.9.2

func (c *Core) GetContext() (context.Context, context.CancelFunc)

func (*Core) GetCoreConfigInternal added in v1.8.0

func (c *Core) GetCoreConfigInternal() *server.Config

GetCoreConfigInternal returns the server configuration in struct format.

func (*Core) GetGroupPolicyApplicationMode added in v1.13.0

func (c *Core) GetGroupPolicyApplicationMode(ctx context.Context) (string, error)

func (*Core) GetHAPeerNodesCached added in v1.10.0

func (c *Core) GetHAPeerNodesCached() []PeerNode

GetHAPeerNodesCached returns the nodes that've sent us Echo requests recently.

func (*Core) GetHCPLinkStatus added in v1.12.0

func (c *Core) GetHCPLinkStatus() (string, string)

func (*Core) GetLeaderStatus added in v1.6.2

func (core *Core) GetLeaderStatus() (*LeaderResponse, error)

func (*Core) GetListenerCustomResponseHeaders added in v1.9.0

func (c *Core) GetListenerCustomResponseHeaders(listenerAdd string) *ListenerCustomHeaders

func (*Core) GetRaftAutopilotState added in v1.13.0

func (c *Core) GetRaftAutopilotState(ctx context.Context) (*raft.AutopilotState, error)

func (*Core) GetRaftConfiguration added in v1.13.0

func (c *Core) GetRaftConfiguration(ctx context.Context) (*raft.RaftConfigurationResponse, error)

func (*Core) GetRaftIndexes added in v1.4.2

func (c *Core) GetRaftIndexes() (committed uint64, applied uint64)

func (*Core) GetRaftNodeID added in v1.7.2

func (c *Core) GetRaftNodeID() string

GetRaftNodeID returns the raft node ID if there is one, or an empty string if there's not

func (*Core) GetSealStatus added in v1.6.2

func (core *Core) GetSealStatus(ctx context.Context, lock bool) (*SealStatusResponse, error)

func (*Core) HAEnabled added in v1.13.0

func (c *Core) HAEnabled() bool

func (*Core) HAState added in v1.9.0

func (c *Core) HAState() consts.HAState

c.stateLock needs to be held in read mode before calling this function.

func (*Core) HAStateWithLock added in v1.13.0

func (c *Core) HAStateWithLock() consts.HAState

func (*Core) HandleRequest

func (c *Core) HandleRequest(httpCtx context.Context, req *logical.Request) (resp *logical.Response, err error)

HandleRequest is used to handle a new incoming request

func (*Core) HasFeature added in v0.11.2

func (c *Core) HasFeature(license.Features) bool

func (*Core) HasWALState added in v1.10.0

func (c *Core) HasWALState(required *logical.WALState, perfStandby bool) bool

func (*Core) HostnameHeaderEnabled added in v1.7.2

func (c *Core) HostnameHeaderEnabled() bool

HostnameHeaderEnabled determines whether to add the X-Vault-Hostname header to HTTP responses.

func (*Core) IdentityStore added in v0.9.0

func (c *Core) IdentityStore() *IdentityStore

func (*Core) Initialize

func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitResult, error)

Initialize is used to initialize the Vault with the given configurations.

func (*Core) InitializeRecovery added in v1.3.0

func (c *Core) InitializeRecovery(ctx context.Context) error

func (*Core) Initialized

func (c *Core) Initialized(ctx context.Context) (bool, error)

Initialized checks if the Vault is already initialized. This means one of two things: either the barrier has been created (with keyring and master key) and the seal config written to storage, or Raft is forming a cluster and a join/bootstrap is in progress.

func (*Core) InitializedLocally added in v1.6.1

func (c *Core) InitializedLocally(ctx context.Context) (bool, error)

InitializedLocally checks if the Vault is already initialized from the local node's perspective. This is the same thing as Initialized, unless using Raft, in which case Initialized may return true (because a peer we're joining to has been initialized) while InitializedLocally returns false (because we're not done bootstrapping raft on the local node).

func (*Core) InitiateRetryJoin added in v1.4.0

func (c *Core) InitiateRetryJoin(ctx context.Context) error

func (*Core) InjectActivityLogDataThisMonth added in v1.7.0

func (c *Core) InjectActivityLogDataThisMonth(t *testing.T) map[string]*activity.EntityRecord

InjectActivityLogDataThisMonth populates the in-memory client store with some entities and tokens, overriding what was already there It is currently used for API integration tests

func (*Core) InjectIrrevocableLeases added in v1.8.0

func (c *Core) InjectIrrevocableLeases(ctx context.Context, count int) (map[string]int, error)

InjectIrrevocableLeases injects `count` irrevocable leases (currently to a single mount). It returns a map of the mount accessor to the number of leases stored there

func (*Core) IsDRSecondary added in v0.9.2

func (c *Core) IsDRSecondary() bool

IsDRSecondary returns if the current cluster state is a DR secondary.

func (*Core) IsExperimentEnabled added in v1.13.0

func (c *Core) IsExperimentEnabled(experiment string) bool

IsExperimentEnabled is true if the experiment is enabled in the core.

func (*Core) IsInSealMigrationMode added in v1.6.0

func (c *Core) IsInSealMigrationMode(lock bool) bool

IsInSealMigrationMode returns true if we're configured to perform a seal migration, meaning either that we have a disabled seal in HCL configuration or the seal configuration in storage is Shamir but the seal in HCL is not. In this mode we should not auto-unseal (even if the migration is done) and we will accept unseal requests with and without the `migrate` option, though the migrate option is required if we haven't yet performed the seal migration. Lock should only be false if the caller is already holding the read statelock (such as calls originating from switchedLockHandleRequest).

func (*Core) IsPerfSecondary added in v1.6.7

func (c *Core) IsPerfSecondary() bool

func (*Core) IsRaftVoter added in v1.13.0

func (c *Core) IsRaftVoter() bool

IsRaftVoter specifies whether the node is a raft voter which is always false if raft storage is not in use.

func (*Core) IsSealMigrated added in v1.6.0

func (c *Core) IsSealMigrated(lock bool) bool

IsSealMigrated returns true if we're in seal migration mode but migration has already been performed (possibly by another node, or prior to this node's current invocation). Lock should only be false if the caller is already holding the read statelock (such as calls originating from switchedLockHandleRequest).

func (*Core) JoinRaftCluster added in v1.2.0

func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJoinInfo, nonVoter bool) (bool, error)

func (*Core) KeyRotateGracePeriod added in v1.7.0

func (c *Core) KeyRotateGracePeriod() time.Duration

func (*Core) Leader

func (c *Core) Leader() (isLeader bool, leaderAddr, clusterAddr string, err error)

Leader is used to get the current active leader

func (*Core) ListAuths added in v1.12.0

func (c *Core) ListAuths() ([]*MountEntry, error)

ListAuths will provide a slice containing a deep copy each auth entry

func (*Core) ListMounts added in v1.11.12

func (c *Core) ListMounts() ([]*MountEntry, error)

ListMounts will provide a slice containing a deep copy each mount entry

func (*Core) ListNamespaces added in v1.9.0

func (c *Core) ListNamespaces(includePath bool) []*namespace.Namespace

func (*Core) ListenerAddresses added in v1.13.0

func (c *Core) ListenerAddresses() ([]string, error)

ListenerAddresses provides a slice of configured listener addresses

func (*Core) LoadInFlightReqData added in v1.10.0

func (c *Core) LoadInFlightReqData() map[string]InFlightReqData

LoadInFlightReqData creates a snapshot map of the current in-flight requests

func (*Core) LoadNodeID added in v1.12.0

func (c *Core) LoadNodeID() (string, error)

func (*Core) LocalGetUserFailedLoginInfo added in v1.13.3

func (c *Core) LocalGetUserFailedLoginInfo(ctx context.Context, userKey FailedLoginUser) *FailedLoginInfo

LocalGetUserFailedLoginInfo gets the failed login information for a user based on alias name and mountAccessor

func (*Core) LocalUpdateUserFailedLoginInfo added in v1.13.3

func (c *Core) LocalUpdateUserFailedLoginInfo(ctx context.Context, userKey FailedLoginUser, failedLoginInfo *FailedLoginInfo, deleteEntry bool) error

LocalUpdateUserFailedLoginInfo updates the failed login information for a user based on alias name and mountAccessor

func (*Core) LogCompletedRequests added in v1.10.0

func (c *Core) LogCompletedRequests(reqID string, statusCode int)

LogCompletedRequests Logs the completed request to the server logs

func (*Core) LogFormat added in v1.5.0

func (c *Core) LogFormat() string

LogFormat returns the log format current in use.

func (*Core) LogLevel added in v1.13.0

func (c *Core) LogLevel() string

LogLevel returns the log level provided by level provided by config, CLI flag, or env

func (*Core) Logger added in v0.6.1

func (c *Core) Logger() log.Logger

func (*Core) LoginCreateToken added in v1.10.0

func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint, role string, resp *logical.Response) (bool, *logical.Response, error)

LoginCreateToken creates a token as a result of a login request. If MFA is enforced, mfa/validate endpoint calls this functions after successful MFA validation to generate the token.

func (*Core) LoginMFACreateToken added in v1.10.0

func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAuth *logical.Auth, loginRequestData map[string]interface{}) (*logical.Response, error)

LoginMFACreateToken creates a token after the login MFA is validated. It also applies the lease quotas on the original login request path.

func (*Core) LookupToken added in v0.6.3

func (c *Core) LookupToken(ctx context.Context, token string) (*logical.TokenEntry, error)

LookupToken returns the properties of the token from the token store. This is particularly useful to fetch the accessor of the client token and get it populated in the logical request along with the client token. The accessor of the client token can get audit logged.

Should be called with read stateLock held.

func (*Core) MatchingMount added in v1.5.0

func (c *Core) MatchingMount(ctx context.Context, reqPath string) string

MatchingMount returns the path of the mount that will be responsible for handling the given request path.

func (*Core) MetricSink added in v1.5.0

func (c *Core) MetricSink() *metricsutil.ClusterMetricSink

MetricSink returns the metrics wrapper with which Core has been configured.

func (*Core) MetricsHelper added in v1.3.0

func (c *Core) MetricsHelper() *metricsutil.MetricsHelper

MetricsHelper returns the global metrics helper which allows external packages to access Vault's internal metrics.

func (*Core) MissingRequiredState added in v1.7.0

func (c *Core) MissingRequiredState(raw []string, perfStandby bool) bool

func (*Core) NamespaceByID added in v1.9.0

func (c *Core) NamespaceByID(ctx context.Context, nsID string) (*namespace.Namespace, error)

func (*Core) NewForwardedWriter added in v1.13.0

func (c *Core) NewForwardedWriter(ctx context.Context, wrapped logical.Storage, _ bool) (logical.Storage, error)

func (*Core) PerfStandby added in v0.11.0

func (c *Core) PerfStandby() bool

PerfStandby checks if the vault is a performance standby This function cannot be used during request handling because this causes a deadlock with the statelock.

func (*Core) PersistTOTPKey added in v1.9.0

func (c *Core) PersistTOTPKey(ctx context.Context, methodID, entityID, key string) error

func (*Core) PersistUndoLogs added in v1.12.0

func (c *Core) PersistUndoLogs() error

func (*Core) PhysicalAccess added in v0.9.0

func (c *Core) PhysicalAccess() *physical.PhysicalAccess

func (*Core) PhysicalSealConfigs added in v1.0.0

func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfig, error)

func (*Core) PopMFAResponseAuthByID added in v1.10.0

func (c *Core) PopMFAResponseAuthByID(reqID string) (*MFACachedAuthResponse, error)

PopMFAResponseAuthByID pops an item from the mfaResponseAuthQueue by ID it returns the cached auth response or an error

func (*Core) PopulateTokenEntry added in v1.8.0

func (c *Core) PopulateTokenEntry(ctx context.Context, req *logical.Request) error

PopulateTokenEntry looks up req.ClientToken in the token store and uses it to set other fields in req. Does nothing if ClientToken is empty or a JWT token, or for service tokens that don't exist in the token store. Should be called with read stateLock held.

func (*Core) RaftBootstrap added in v1.5.0

func (c *Core) RaftBootstrap(ctx context.Context, onInit bool) error

RaftBootstrap performs bootstrapping of a raft cluster if core contains a raft backend. If raft is not part for the storage or HA storage backend, this call results in an error.

func (*Core) RaftNodeIDHeaderEnabled added in v1.7.2

func (c *Core) RaftNodeIDHeaderEnabled() bool

RaftNodeIDHeaderEnabled determines whether to add the X-Vault-Raft-Node-ID header to HTTP responses.

func (*Core) RateLimitAuditLoggingEnabled added in v1.5.0

func (c *Core) RateLimitAuditLoggingEnabled() bool

RateLimitAuditLoggingEnabled returns if the quota configuration allows audit logging of request rejections due to rate limiting quota rule violations.

func (*Core) RateLimitResponseHeadersEnabled added in v1.6.0

func (c *Core) RateLimitResponseHeadersEnabled() bool

RateLimitResponseHeadersEnabled returns if the quota configuration allows for rate limit quota HTTP headers to be added to responses.

func (*Core) RecoveryRekeyInit added in v0.6.0

func (c *Core) RecoveryRekeyInit(config *SealConfig) logical.HTTPCodedError

RecoveryRekeyInit is used to initialize the rekey settings for the recovery key

func (*Core) RecoveryRekeyUpdate added in v0.6.0

func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, logical.HTTPCodedError)

RecoveryRekeyUpdate is used to provide a new key part

func (*Core) RegisterAuth added in v0.11.2

func (c *Core) RegisterAuth(ctx context.Context, tokenTTL time.Duration, path string, auth *logical.Auth, role string) error

RegisterAuth uses a logical.Auth object to create a token entry in the token store, and registers a corresponding token lease to the expiration manager. role is the login role used as part of the creation of the token entry. If not relevant, can be omitted (by being provided as "").

func (*Core) RekeyCancel added in v0.2.0

func (c *Core) RekeyCancel(recovery bool) logical.HTTPCodedError

RekeyCancel is used to cancel an in-progress rekey

func (*Core) RekeyConfig added in v0.2.0

func (c *Core) RekeyConfig(recovery bool) (*SealConfig, logical.HTTPCodedError)

RekeyConfig is used to read the rekey configuration

func (*Core) RekeyDeleteBackup added in v0.5.0

func (c *Core) RekeyDeleteBackup(ctx context.Context, recovery bool) logical.HTTPCodedError

RekeyDeleteBackup is used to delete any backed-up PGP-encrypted unseal keys

func (*Core) RekeyInit added in v0.2.0

func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedError

RekeyInit will either initialize the rekey of barrier or recovery key. recovery determines whether this is a rekey on the barrier or recovery key.

func (*Core) RekeyProgress added in v0.2.0

func (c *Core) RekeyProgress(recovery, verification bool) (bool, int, logical.HTTPCodedError)

RekeyProgress is used to return the rekey progress (num shares).

func (*Core) RekeyRetrieveBackup added in v0.5.0

func (c *Core) RekeyRetrieveBackup(ctx context.Context, recovery bool) (*RekeyBackup, logical.HTTPCodedError)

RekeyRetrieveBackup is used to retrieve any backed-up PGP-encrypted unseal keys

func (*Core) RekeyThreshold added in v0.6.0

func (c *Core) RekeyThreshold(ctx context.Context, recovery bool) (int, logical.HTTPCodedError)

RekeyThreshold returns the secret threshold for the current seal config. This threshold can either be the barrier key threshold or the recovery key threshold, depending on whether rekey is being performed on the recovery key, or whether the seal supports recovery keys.

func (*Core) RekeyUpdate added in v0.2.0

func (c *Core) RekeyUpdate(ctx context.Context, key []byte, nonce string, recovery bool) (*RekeyResult, logical.HTTPCodedError)

RekeyUpdate is used to provide a new key part for the barrier or recovery key.

func (*Core) RekeyVerify added in v0.10.2

func (c *Core) RekeyVerify(ctx context.Context, key []byte, nonce string, recovery bool) (ret *RekeyVerifyResult, retErr logical.HTTPCodedError)

func (*Core) RekeyVerifyRestart added in v0.10.2

func (c *Core) RekeyVerifyRestart(recovery bool) logical.HTTPCodedError

RekeyVerifyRestart is used to start the verification process over

func (*Core) ReloadCensus added in v1.11.12

func (c *Core) ReloadCensus() error

func (*Core) ReloadCustomResponseHeaders added in v1.9.0

func (c *Core) ReloadCustomResponseHeaders() error

func (*Core) ReloadIntrospectionEndpointEnabled added in v1.13.0

func (c *Core) ReloadIntrospectionEndpointEnabled()

func (*Core) ReloadLogRequestsLevel added in v1.10.0

func (c *Core) ReloadLogRequestsLevel()

func (*Core) ReloadManagedKeyRegistryConfig added in v1.10.0

func (c *Core) ReloadManagedKeyRegistryConfig()

func (*Core) ReplicationState added in v0.7.0

func (c *Core) ReplicationState() consts.ReplicationState

func (*Core) ResetActivityLog added in v1.6.0

func (c *Core) ResetActivityLog() []*activity.LogFragment

ResetActivityLog is used to extract the current fragment(s) during integration testing, so that it can be checked in a race-free way.

func (*Core) ResetUnsealProcess added in v0.4.0

func (c *Core) ResetUnsealProcess()

ResetUnsealProcess removes the current unlock parts from memory, to reset the unsealing process

func (*Core) ResolveRoleForQuotas added in v1.13.7

func (c *Core) ResolveRoleForQuotas(ctx context.Context, req *quotas.Request) (bool, error)

ResolveRoleForQuotas looks for any quotas requiring a role for early computation in the RateLimitQuotaWrapping handler.

func (*Core) RouterAccess added in v0.9.0

func (c *Core) RouterAccess() *RouterAccess

func (*Core) SanitizedConfig added in v1.3.0

func (c *Core) SanitizedConfig() map[string]interface{}

SanitizedConfig returns a sanitized version of the current config. See server.Config.Sanitized for specific values omitted.

func (*Core) SaveMFAResponseAuth added in v1.10.0

func (c *Core) SaveMFAResponseAuth(respAuth *MFACachedAuthResponse) error

SaveMFAResponseAuth pushes an MFACachedAuthResponse to the mfaResponseAuthQueue. it returns an error in case of failure

func (*Core) Seal

func (c *Core) Seal(token string) error

Seal takes in a token and creates a logical.Request, acquires the lock, and passes through to sealInternal

func (*Core) SealAccess added in v0.6.0

func (c *Core) SealAccess() *SealAccess

func (*Core) SealWithRequest added in v0.6.0

func (c *Core) SealWithRequest(httpCtx context.Context, req *logical.Request) error

SealWithRequest takes in a logical.Request, acquires the lock, and passes through to sealInternal

func (*Core) Sealed

func (c *Core) Sealed() bool

Sealed checks if the Vault is current sealed

func (*Core) SecretProgress

func (c *Core) SecretProgress(lock bool) (int, string)

SecretProgress returns the number of keys provided so far. Lock should only be false if the caller is already holding the read statelock (such as calls originating from switchedLockHandleRequest).

func (*Core) SendGroupUpdate added in v1.9.0

func (c *Core) SendGroupUpdate(context.Context, *identity.Group) (bool, error)

func (*Core) SetClusterHandler added in v0.7.3

func (c *Core) SetClusterHandler(handler http.Handler)

func (*Core) SetClusterListenerAddrs added in v0.6.1

func (c *Core) SetClusterListenerAddrs(addrs []*net.TCPAddr)

func (*Core) SetConfig added in v1.3.0

func (c *Core) SetConfig(conf *server.Config)

SetConfig sets core's config object to the newly provided config.

func (*Core) SetGroupPolicyApplicationMode added in v1.13.0

func (c *Core) SetGroupPolicyApplicationMode(ctx context.Context, mode string) error

func (*Core) SetHCPLinkStatus added in v1.12.0

func (c *Core) SetHCPLinkStatus(status, resourceID string)

func (*Core) SetKeyRotateGracePeriod added in v1.7.0

func (c *Core) SetKeyRotateGracePeriod(t time.Duration)

func (*Core) SetLogLevel added in v0.11.1

func (c *Core) SetLogLevel(level log.Level)

SetLogLevel sets logging level for all tracked loggers to the level provided

func (*Core) SetLogLevelByName added in v1.10.5

func (c *Core) SetLogLevelByName(name string, level log.Level) bool

SetLogLevelByName sets the logging level of named logger to level provided if it exists. Core.allLoggers is a slice and as such it is entirely possible that multiple entries exist for the same name. Each instance will be modified.

func (*Core) SetNeverBecomeActive added in v1.0.3

func (c *Core) SetNeverBecomeActive(on bool)

func (*Core) Shutdown added in v0.2.0

func (c *Core) Shutdown() error

Shutdown is invoked when the Vault instance is about to be terminated. It should not be accessible as part of an API call as it will cause an availability problem. It is only used to gracefully quit in the case of HA so that failover happens as quickly as possible.

func (*Core) ShutdownCoreError added in v1.12.3

func (c *Core) ShutdownCoreError(err error)

ShutdownCoreError logs a shutdown error and shuts down the Vault core.

func (*Core) ShutdownDone added in v1.4.0

func (c *Core) ShutdownDone() <-chan struct{}

ShutdownDone returns a channel that will be closed after Shutdown completes

func (*Core) ShutdownWait added in v1.10.0

func (c *Core) ShutdownWait() error

func (*Core) Standby

func (c *Core) Standby() (bool, error)

Standby checks if the Vault is in standby mode

func (*Core) StandbyStates added in v1.6.0

func (c *Core) StandbyStates() (standby, perfStandby bool)

StandbyStates is meant as a way to avoid some extra locking on the very common sys/health check.

func (*Core) StepDown added in v0.5.2

func (c *Core) StepDown(httpCtx context.Context, req *logical.Request) (retErr error)

StepDown is used to step down from leadership

func (*Core) StorageType added in v1.3.0

func (c *Core) StorageType() string

StorageType returns a string equal to the storage configuration's type.

func (*Core) StoreInFlightReqData added in v1.10.0

func (c *Core) StoreInFlightReqData(reqID string, data InFlightReqData)

func (*Core) UIEnabled added in v0.10.0

func (c *Core) UIEnabled() bool

UIEnabled returns if the UI is enabled

func (*Core) UIHeaders added in v0.10.0

func (c *Core) UIHeaders() (http.Header, error)

UIHeaders returns configured UI headers

func (*Core) UndoLogsEnabled added in v1.12.0

func (c *Core) UndoLogsEnabled() bool

func (*Core) UndoLogsPersisted added in v1.12.0

func (c *Core) UndoLogsPersisted() (bool, error)

func (*Core) Unseal

func (c *Core) Unseal(key []byte) (bool, error)

Unseal is used to provide one of the key parts to unseal the Vault.

func (*Core) UnsealMigrate added in v1.6.0

func (c *Core) UnsealMigrate(key []byte) (bool, error)

func (*Core) UnsealWithStoredKeys added in v0.6.0

func (c *Core) UnsealWithStoredKeys(ctx context.Context) error

UnsealWithStoredKeys performs auto-unseal using stored keys. An error return value of "nil" implies the Vault instance is unsealed.

Callers should attempt to retry any NonFatalErrors. Callers should not re-attempt fatal errors.

func (*Core) UpdateInFlightReqData added in v1.10.0

func (c *Core) UpdateInFlightReqData(reqID, clientID string)

UpdateInFlightReqData updates the data for a specific reqID with the clientID

type CoreConfig

type CoreConfig struct {
	DevToken string

	BuiltinRegistry BuiltinRegistry

	LogicalBackends map[string]logical.Factory

	CredentialBackends map[string]logical.Factory

	AuditBackends map[string]audit.Factory

	Physical physical.Backend

	StorageType string

	// May be nil, which disables HA operations
	HAPhysical physical.HABackend

	ServiceRegistration sr.ServiceRegistration

	// Seal is the configured seal, or if none is configured explicitly, a
	// shamir seal.  In migration scenarios this is the new seal.
	Seal Seal

	// Unwrap seal is the optional seal marked "disabled"; this is the old
	// seal in migration scenarios.
	UnwrapSeal Seal

	SecureRandomReader io.Reader

	LogLevel string

	Logger log.Logger

	// Use the deadlocks library to detect deadlocks
	DetectDeadlocks string

	// If any role based quota (LCQ or RLQ) is enabled, don't track lease counts by role
	ImpreciseLeaseRoleTracking bool

	// Disables the trace display for Sentinel checks
	DisableSentinelTrace bool

	// Disables the LRU cache on the physical backend
	DisableCache bool

	// Disables mlock syscall
	DisableMlock bool

	// Custom cache size for the LRU cache on the physical backend, or zero for default
	CacheSize int

	// Set as the leader address for HA
	RedirectAddr string

	// Set as the cluster address for HA
	ClusterAddr string

	DefaultLeaseTTL time.Duration

	MaxLeaseTTL time.Duration

	ClusterName string

	ClusterCipherSuites string

	EnableUI bool

	// Enable the raw endpoint
	EnableRaw bool

	// Enable the introspection endpoint
	EnableIntrospection bool

	PluginDirectory string

	PluginFileUid int

	PluginFilePermissions int

	DisableSealWrap bool

	RawConfig *server.Config

	ReloadFuncs     *map[string][]reloadutil.ReloadFunc
	ReloadFuncsLock *sync.RWMutex

	// Licensing
	License         string
	LicensePath     string
	LicensingConfig *LicensingConfig

	// Configured Census Agent
	CensusAgent CensusReporter

	DisablePerformanceStandby bool
	DisableIndexing           bool
	DisableKeyEncodingChecks  bool

	AllLoggers []log.Logger

	// Telemetry objects
	MetricsHelper *metricsutil.MetricsHelper
	MetricSink    *metricsutil.ClusterMetricSink

	RecoveryMode bool

	ClusterNetworkLayer cluster.NetworkLayer

	ClusterHeartbeatInterval time.Duration

	// Activity log controls
	ActivityLogConfig ActivityLogCoreConfig

	// number of workers to use for lease revocation in the expiration manager
	NumExpirationWorkers int

	// DisableAutopilot is used to disable autopilot subsystem in raft storage
	DisableAutopilot bool

	// Whether to send headers in the HTTP response showing hostname or raft node ID
	EnableResponseHeaderHostname   bool
	EnableResponseHeaderRaftNodeID bool

	// DisableSSCTokens is used to disable the use of server side consistent tokens
	DisableSSCTokens bool

	EffectiveSDKVersion string

	RollbackPeriod time.Duration

	Experiments []string

	PendingRemovalMountsAllowed bool

	ExpirationRevokeRetryBase time.Duration

	// AdministrativeNamespacePath is used to configure the administrative namespace, which has access to some sys endpoints that are
	// only accessible in the root namespace, currently sys/audit-hash and sys/monitor.
	AdministrativeNamespacePath string

	NumRollbackWorkers int
	// contains filtered or unexported fields
}

CoreConfig is used to parameterize a core

func (CoreConfig) Clone added in v1.0.0

func (e CoreConfig) Clone() entCoreConfig

func (*CoreConfig) GetServiceRegistration added in v1.4.0

func (c *CoreConfig) GetServiceRegistration() sr.ServiceRegistration

GetServiceRegistration returns the config's ServiceRegistration, or nil if it does not exist.

type CubbyholeBackend added in v0.3.0

type CubbyholeBackend struct {
	*framework.Backend
	// contains filtered or unexported fields
}

CubbyholeBackend is used for storing secrets directly into the physical backend. The secrets are encrypted in the durable storage. This differs from kv in that every token has its own private storage view. The view is removed when the token expires.

type Deserializable added in v1.13.0

type Deserializable interface {
	// Converts a structure into a consummable map
	Deserialize() map[string]interface{}
}

type EchoReply added in v0.7.3

type EchoReply struct {
	Message          string           `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
	ClusterAddrs     []string         `protobuf:"bytes,2,rep,name=cluster_addrs,json=clusterAddrs,proto3" json:"cluster_addrs,omitempty"`
	ReplicationState uint32           `protobuf:"varint,3,opt,name=replication_state,json=replicationState,proto3" json:"replication_state,omitempty"`
	RaftAppliedIndex uint64           `protobuf:"varint,4,opt,name=raft_applied_index,json=raftAppliedIndex,proto3" json:"raft_applied_index,omitempty"`
	RaftNodeID       string           `protobuf:"bytes,5,opt,name=raft_node_id,json=raftNodeId,proto3" json:"raft_node_id,omitempty"`
	NodeInfo         *NodeInformation `protobuf:"bytes,6,opt,name=node_info,json=nodeInfo,proto3" json:"node_info,omitempty"`
	// contains filtered or unexported fields
}

func (*EchoReply) Descriptor deprecated added in v0.7.3

func (*EchoReply) Descriptor() ([]byte, []int)

Deprecated: Use EchoReply.ProtoReflect.Descriptor instead.

func (*EchoReply) GetClusterAddrs added in v0.7.3

func (x *EchoReply) GetClusterAddrs() []string

func (*EchoReply) GetMessage added in v0.7.3

func (x *EchoReply) GetMessage() string

func (*EchoReply) GetNodeInfo added in v1.5.0

func (x *EchoReply) GetNodeInfo() *NodeInformation

func (*EchoReply) GetRaftAppliedIndex added in v1.2.0

func (x *EchoReply) GetRaftAppliedIndex() uint64

func (*EchoReply) GetRaftNodeID added in v1.2.0

func (x *EchoReply) GetRaftNodeID() string

func (*EchoReply) GetReplicationState added in v0.9.2

func (x *EchoReply) GetReplicationState() uint32

func (*EchoReply) ProtoMessage added in v0.7.3

func (*EchoReply) ProtoMessage()

func (*EchoReply) ProtoReflect added in v1.5.0

func (x *EchoReply) ProtoReflect() protoreflect.Message

func (*EchoReply) Reset added in v0.7.3

func (x *EchoReply) Reset()

func (*EchoReply) String added in v0.7.3

func (x *EchoReply) String() string

type EchoRequest added in v0.7.3

type EchoRequest struct {
	Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
	// ClusterAddr is used to send up a standby node's address to the active
	// node upon heartbeat
	ClusterAddr string `protobuf:"bytes,2,opt,name=cluster_addr,json=clusterAddr,proto3" json:"cluster_addr,omitempty"`
	// ClusterAddrs is used to send up a list of cluster addresses to a dr
	// primary from a dr secondary
	ClusterAddrs        []string         `protobuf:"bytes,3,rep,name=cluster_addrs,json=clusterAddrs,proto3" json:"cluster_addrs,omitempty"`
	RaftAppliedIndex    uint64           `protobuf:"varint,4,opt,name=raft_applied_index,json=raftAppliedIndex,proto3" json:"raft_applied_index,omitempty"`
	RaftNodeID          string           `protobuf:"bytes,5,opt,name=raft_node_id,json=raftNodeId,proto3" json:"raft_node_id,omitempty"`
	NodeInfo            *NodeInformation `protobuf:"bytes,6,opt,name=node_info,json=nodeInfo,proto3" json:"node_info,omitempty"`
	RaftTerm            uint64           `protobuf:"varint,7,opt,name=raft_term,json=raftTerm,proto3" json:"raft_term,omitempty"`
	RaftDesiredSuffrage string           `protobuf:"bytes,8,opt,name=raft_desired_suffrage,json=raftDesiredSuffrage,proto3" json:"raft_desired_suffrage,omitempty"`
	RaftUpgradeVersion  string           `protobuf:"bytes,9,opt,name=raft_upgrade_version,json=raftUpgradeVersion,proto3" json:"raft_upgrade_version,omitempty"`
	RaftRedundancyZone  string           `protobuf:"bytes,10,opt,name=raft_redundancy_zone,json=raftRedundancyZone,proto3" json:"raft_redundancy_zone,omitempty"`
	SdkVersion          string           `protobuf:"bytes,11,opt,name=sdk_version,json=sdkVersion,proto3" json:"sdk_version,omitempty"`
	// contains filtered or unexported fields
}

func (*EchoRequest) Descriptor deprecated added in v0.7.3

func (*EchoRequest) Descriptor() ([]byte, []int)

Deprecated: Use EchoRequest.ProtoReflect.Descriptor instead.

func (*EchoRequest) GetClusterAddr added in v0.7.3

func (x *EchoRequest) GetClusterAddr() string

func (*EchoRequest) GetClusterAddrs added in v0.9.0

func (x *EchoRequest) GetClusterAddrs() []string

func (*EchoRequest) GetMessage added in v0.7.3

func (x *EchoRequest) GetMessage() string

func (*EchoRequest) GetNodeInfo added in v1.5.0

func (x *EchoRequest) GetNodeInfo() *NodeInformation

func (*EchoRequest) GetRaftAppliedIndex added in v1.2.0

func (x *EchoRequest) GetRaftAppliedIndex() uint64

func (*EchoRequest) GetRaftDesiredSuffrage added in v1.7.0

func (x *EchoRequest) GetRaftDesiredSuffrage() string

func (*EchoRequest) GetRaftNodeID added in v1.2.0

func (x *EchoRequest) GetRaftNodeID() string

func (*EchoRequest) GetRaftRedundancyZone added in v1.11.0

func (x *EchoRequest) GetRaftRedundancyZone() string

func (*EchoRequest) GetRaftTerm added in v1.7.0

func (x *EchoRequest) GetRaftTerm() uint64

func (*EchoRequest) GetRaftUpgradeVersion added in v1.11.0

func (x *EchoRequest) GetRaftUpgradeVersion() string

func (*EchoRequest) GetSdkVersion added in v1.11.0

func (x *EchoRequest) GetSdkVersion() string

func (*EchoRequest) ProtoMessage added in v0.7.3

func (*EchoRequest) ProtoMessage()

func (*EchoRequest) ProtoReflect added in v1.5.0

func (x *EchoRequest) ProtoReflect() protoreflect.Message

func (*EchoRequest) Reset added in v0.7.3

func (x *EchoRequest) Reset()

func (*EchoRequest) String added in v0.7.3

func (x *EchoRequest) String() string

type EncodedKeyring added in v0.2.0

type EncodedKeyring struct {
	MasterKey      []byte
	Keys           []*Key
	RotationConfig KeyRotationConfig
}

EncodedKeyring is used for serialization of the keyring

type EntityCounter added in v1.3.0

type EntityCounter struct {
	// Total is the total number of entities
	Total int `json:"total"`
}

EntityCounter counts the number of entities

type EntityCreator added in v1.9.0

type EntityCreator interface {
	CreateEntity(ctx context.Context) (*identity.Entity, error)
}

type ErrDecrypt added in v1.6.0

type ErrDecrypt struct {
	Err error
}

func (*ErrDecrypt) Error added in v1.6.0

func (e *ErrDecrypt) Error() string

func (*ErrDecrypt) Is added in v1.6.0

func (e *ErrDecrypt) Is(target error) bool

type ErrEncrypt added in v1.6.0

type ErrEncrypt struct {
	Err error
}

func (*ErrEncrypt) Error added in v1.6.0

func (e *ErrEncrypt) Error() string

func (*ErrEncrypt) Is added in v1.6.0

func (e *ErrEncrypt) Is(target error) bool

type ErrInvalidKey

type ErrInvalidKey struct {
	Reason string
}

ErrInvalidKey is returned if there is a user-based error with a provided unseal key. This will be shown to the user, so should not contain information that is sensitive.

func (*ErrInvalidKey) Error

func (e *ErrInvalidKey) Error() string

type ExpirationManager

type ExpirationManager struct {
	// contains filtered or unexported fields
}

ExpirationManager is used by the Core to manage leases. Secrets can provide a lease, meaning that they can be renewed or revoked. If a secret is not renewed in timely manner, it may be expired, and the ExpirationManager will handle doing automatic revocation.

func NewExpirationManager

func NewExpirationManager(c *Core, view *BarrierView, e ExpireLeaseStrategy, logger log.Logger, detectDeadlocks bool) *ExpirationManager

NewExpirationManager creates a new ExpirationManager that is backed using a given view, and uses the provided router for revocation.

func (*ExpirationManager) CreateOrFetchRevocationLeaseByToken added in v0.10.2

func (m *ExpirationManager) CreateOrFetchRevocationLeaseByToken(ctx context.Context, te *logical.TokenEntry) (string, error)

CreateOrFetchRevocationLeaseByToken is used to create or fetch the matching leaseID for a particular token. The lease is set to expire immediately after it's created.

func (*ExpirationManager) DetectDeadlocks added in v1.13.10

func (e *ExpirationManager) DetectDeadlocks() bool

func (*ExpirationManager) FetchLeaseTimes added in v0.5.0

func (m *ExpirationManager) FetchLeaseTimes(ctx context.Context, leaseID string) (*leaseEntry, error)

FetchLeaseTimes is used to fetch the issue time, expiration time, and last renewed time of a lease entry. It returns a leaseEntry itself, but with only those values copied over.

func (*ExpirationManager) FetchLeaseTimesByToken added in v0.5.0

func (m *ExpirationManager) FetchLeaseTimesByToken(ctx context.Context, te *logical.TokenEntry) (*leaseEntry, error)

FetchLeaseTimesByToken is a helper function to use token values to compute the leaseID, rather than pushing that logic back into the token store. As a special case, for a batch token it simply returns the information encoded on it.

func (*ExpirationManager) LazyRevoke added in v0.10.4

func (m *ExpirationManager) LazyRevoke(ctx context.Context, leaseID string) error

LazyRevoke is used to queue revocation for a secret named by the given LeaseID. If the lease was not found it returns nil; if the lease was found it triggers a return of a 202.

func (*ExpirationManager) Register

func (m *ExpirationManager) Register(ctx context.Context, req *logical.Request, resp *logical.Response, loginRole string) (id string, retErr error)

Register is used to take a request and response with an associated lease. The secret gets assigned a LeaseID and the management of the lease is assumed by the expiration manager.

func (*ExpirationManager) RegisterAuth

func (m *ExpirationManager) RegisterAuth(ctx context.Context, te *logical.TokenEntry, auth *logical.Auth, loginRole string) error

RegisterAuth is used to take an Auth response with an associated lease. The token does not get a LeaseID, but the lease management is handled by the expiration manager.

func (*ExpirationManager) Renew

func (m *ExpirationManager) Renew(ctx context.Context, leaseID string, increment time.Duration) (*logical.Response, error)

Renew is used to renew a secret using the given leaseID and a renew interval. The increment may be ignored.

func (*ExpirationManager) RenewToken

func (m *ExpirationManager) RenewToken(ctx context.Context, req *logical.Request, te *logical.TokenEntry,
	increment time.Duration,
) (*logical.Response, error)

RenewToken is used to renew a token which does not need to invoke a logical backend.

func (*ExpirationManager) Restore

func (m *ExpirationManager) Restore(errorFunc func()) (retErr error)

Restore is used to recover the lease states when starting. This is used after starting the vault.

func (*ExpirationManager) Revoke

func (m *ExpirationManager) Revoke(ctx context.Context, leaseID string) error

Revoke is used to revoke a secret named by the given LeaseID

func (*ExpirationManager) RevokeByToken

func (m *ExpirationManager) RevokeByToken(ctx context.Context, te *logical.TokenEntry) error

RevokeByToken is used to revoke all the secrets issued with a given token. This is done by using the secondary index. It also removes the lease entry for the token itself. As a result it should *ONLY* ever be called from the token store's revokeInternal function. (NB: it's called by token tidy as well.)

func (*ExpirationManager) RevokeForce added in v0.5.2

func (m *ExpirationManager) RevokeForce(ctx context.Context, prefix string) error

RevokeForce works similarly to RevokePrefix but continues in the case of a revocation error; this is mostly meant for recovery operations

func (*ExpirationManager) RevokePrefix

func (m *ExpirationManager) RevokePrefix(ctx context.Context, prefix string, sync bool) error

RevokePrefix is used to revoke all secrets with a given prefix. The prefix maps to that of the mount table to make this simpler to reason about.

func (*ExpirationManager) Stop

func (m *ExpirationManager) Stop() error

Stop is used to prevent further automatic revocations. This must be called before sealing the view.

func (*ExpirationManager) Tidy added in v0.7.1

func (m *ExpirationManager) Tidy(ctx context.Context) error

Tidy cleans up the dangling storage entries for leases. It scans the storage view to find all the available leases, checks if the token embedded in it is either empty or invalid and in both the cases, it revokes them. It also uses a token cache to avoid multiple lookups of the same token ID. It is normally not required to use the API that invokes this. This is only intended to clean up the corrupt storage due to bugs.

func (*ExpirationManager) WalkTokens added in v1.5.0

func (m *ExpirationManager) WalkTokens(walkFn ExpirationWalkFunction) error

WalkTokens extracts the Auth structure from leases corresponding to tokens. Returning false from the walk function terminates the iteration.

type ExpirationWalkFunction added in v1.5.0

type ExpirationWalkFunction = func(leaseID string, auth *logical.Auth, path string) bool

Callback function type to walk tokens referenced in the expiration manager. Don't want to use leaseEntry here because it's an unexported type (though most likely we would only call this from within the "vault" core package.)

type ExpireLeaseStrategy added in v0.11.2

type ExpireLeaseStrategy func(context.Context, *ExpirationManager, string, *namespace.Namespace)

type FailedLoginInfo added in v1.13.0

type FailedLoginInfo struct {
	// contains filtered or unexported fields
}

type FailedLoginUser added in v1.13.0

type FailedLoginUser struct {
	// contains filtered or unexported fields
}

type FeatureFlags added in v1.4.0

type FeatureFlags struct {
	NamespacesCubbyholesLocal bool `json:"namespace_cubbyholes_local"`
}

type ForwardedWriter added in v1.13.0

type ForwardedWriter struct {
	// contains filtered or unexported fields
}

Our forwarded writer has two components: a reference to Core, allowing us to tap into the GRPC client and resolved paths, and lower storage layer to call upon when we don't wish to forward our writes.

This implementation lives in OSS: while the GRPC connection isn't present on OSS, we need to ensure paths written to these forwarded nodes correctly template {{clusterId}} if they are later upgraded to Enterprise, and don't just write with the template sentinel still there.

XXX: In the future, we'll need to support wrapping transactional storage.

func (*ForwardedWriter) Delete added in v1.13.0

func (w *ForwardedWriter) Delete(ctx context.Context, path string) error

func (*ForwardedWriter) Get added in v1.13.0

func (*ForwardedWriter) List added in v1.13.0

func (w *ForwardedWriter) List(ctx context.Context, path string) ([]string, error)

func (*ForwardedWriter) Put added in v1.13.0

type GenerateRootConfig added in v0.5.0

type GenerateRootConfig struct {
	Nonce          string
	PGPKey         string
	PGPFingerprint string
	OTP            string
	Strategy       GenerateRootStrategy
}

GenerateRootConfig holds the configuration for a root generation command.

type GenerateRootResult added in v0.5.0

type GenerateRootResult struct {
	Progress       int
	Required       int
	EncodedToken   string
	PGPFingerprint string
}

GenerateRootResult holds the result of a root generation update command

type GenerateRootStrategy added in v0.9.0

type GenerateRootStrategy interface {
	// contains filtered or unexported methods
}

GenerateRootStrategy allows us to swap out the strategy we want to use to create a token upon completion of the generate root process.

var (
	// GenerateStandardRootTokenStrategy is the strategy used to generate a
	// typical root token
	GenerateStandardRootTokenStrategy GenerateRootStrategy = generateStandardRootToken{}

	// GenerateDROperationTokenStrategy is the strategy used to generate a
	// DR operational token
	GenerateDROperationTokenStrategy GenerateRootStrategy = generateStandardRootToken{}
)

func GenerateRecoveryTokenStrategy added in v1.3.0

func GenerateRecoveryTokenStrategy(token *atomic.String) GenerateRootStrategy

GenerateRecoveryTokenStrategy is the strategy used to generate a recovery token

type GroupPolicyApplicationMode added in v1.13.0

type GroupPolicyApplicationMode struct {
	GroupPolicyApplicationMode string `json:"group_policy_application_mode"`
}

type GroupUpdater added in v1.9.0

type GroupUpdater interface {
	SendGroupUpdate(ctx context.Context, group *identity.Group) (bool, error)
}

type HAStatusNode added in v1.10.0

type HAStatusNode struct {
	Hostname       string     `json:"hostname"`
	APIAddress     string     `json:"api_address"`
	ClusterAddress string     `json:"cluster_address"`
	ActiveNode     bool       `json:"active_node"`
	LastEcho       *time.Time `json:"last_echo"`
	Version        string     `json:"version"`
	UpgradeVersion string     `json:"upgrade_version,omitempty"`
	RedundancyZone string     `json:"redundancy_zone,omitempty"`
}

type HCPLinkStatus added in v1.12.0

type HCPLinkStatus struct {
	ConnectionStatus string `json:"hcp_link_status,omitempty"`
	ResourceIDOnHCP  string `json:"resource_ID_on_hcp,omitempty"`
	// contains filtered or unexported fields
}

type HLLGetter added in v1.11.12

type HLLGetter func(ctx context.Context, startTime time.Time) (*hyperloglog.Sketch, error)

type HandlerHandler added in v1.13.0

type HandlerHandler interface {
	Handler(*HandlerProperties) http.Handler
}

type HandlerProperties added in v0.10.4

type HandlerProperties struct {
	Core                  *Core
	ListenerConfig        *configutil.Listener
	DisablePrintableCheck bool
	RecoveryMode          bool
	RecoveryToken         *uberAtomic.String
}

HandlerProperties is used to seed configuration into a vaulthttp.Handler. It's in this package to avoid a circular dependency

type IdentityFactor added in v0.11.2

type IdentityFactor struct {
	GroupIDs          []string `hcl:"group_ids"`
	GroupNames        []string `hcl:"group_names"`
	ApprovalsRequired int      `hcl:"approvals"`
}

type IdentityStore added in v0.9.0

type IdentityStore struct {
	// IdentityStore is a secret backend in Vault
	*framework.Backend
	// contains filtered or unexported fields
}

IdentityStore is composed of its own storage view and a MemDB which maintains active in-memory replicas of the storage contents indexed by multiple fields.

func NewIdentityStore added in v0.9.0

func NewIdentityStore(ctx context.Context, core *Core, config *logical.BackendConfig, logger log.Logger) (*IdentityStore, error)

func (*IdentityStore) CreateEntity added in v0.9.0

func (i *IdentityStore) CreateEntity(ctx context.Context) (*identity.Entity, error)

CreateEntity creates a new entity.

func (*IdentityStore) CreateOrFetchEntity added in v0.9.4

func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical.Alias) (*identity.Entity, bool, error)

CreateOrFetchEntity creates a new entity. This is used by core to associate each login attempt by an alias to a unified entity in Vault.

func (*IdentityStore) Invalidate added in v0.9.0

func (i *IdentityStore) Invalidate(ctx context.Context, key string)

Invalidate is a callback wherein the backend is informed that the value at the given key is updated. In identity store's case, it would be the entity storage entries that get updated. The value needs to be read and MemDB needs to be updated accordingly.

func (*IdentityStore) MemDBAliasByFactors added in v0.9.0

func (i *IdentityStore) MemDBAliasByFactors(mountAccessor, aliasName string, clone bool, groupAlias bool) (*identity.Alias, error)

func (*IdentityStore) MemDBAliasByFactorsInTxn added in v0.9.4

func (i *IdentityStore) MemDBAliasByFactorsInTxn(txn *memdb.Txn, mountAccessor, aliasName string, clone bool, groupAlias bool) (*identity.Alias, error)

func (*IdentityStore) MemDBAliasByID added in v0.9.0

func (i *IdentityStore) MemDBAliasByID(aliasID string, clone bool, groupAlias bool) (*identity.Alias, error)

func (*IdentityStore) MemDBAliasByIDInTxn added in v0.9.0

func (i *IdentityStore) MemDBAliasByIDInTxn(txn *memdb.Txn, aliasID string, clone bool, groupAlias bool) (*identity.Alias, error)

func (*IdentityStore) MemDBAliases added in v0.9.0

func (i *IdentityStore) MemDBAliases(ws memdb.WatchSet, groupAlias bool) (memdb.ResultIterator, error)

func (*IdentityStore) MemDBDeleteAliasByIDInTxn added in v0.9.0

func (i *IdentityStore) MemDBDeleteAliasByIDInTxn(txn *memdb.Txn, aliasID string, groupAlias bool) error

func (*IdentityStore) MemDBDeleteEntityByID added in v0.9.0

func (i *IdentityStore) MemDBDeleteEntityByID(entityID string) error

func (*IdentityStore) MemDBDeleteEntityByIDInTxn added in v0.9.0

func (i *IdentityStore) MemDBDeleteEntityByIDInTxn(txn *memdb.Txn, entityID string) error

func (*IdentityStore) MemDBDeleteGroupByIDInTxn added in v0.9.0

func (i *IdentityStore) MemDBDeleteGroupByIDInTxn(txn *memdb.Txn, groupID string) error

func (*IdentityStore) MemDBEntitiesByBucketKeyInTxn added in v1.2.0

func (i *IdentityStore) MemDBEntitiesByBucketKeyInTxn(txn *memdb.Txn, bucketKey string) ([]*identity.Entity, error)

func (*IdentityStore) MemDBEntityByAliasID added in v0.9.0

func (i *IdentityStore) MemDBEntityByAliasID(aliasID string, clone bool) (*identity.Entity, error)

func (*IdentityStore) MemDBEntityByAliasIDInTxn added in v0.9.0

func (i *IdentityStore) MemDBEntityByAliasIDInTxn(txn *memdb.Txn, aliasID string, clone bool) (*identity.Entity, error)

func (*IdentityStore) MemDBEntityByID added in v0.9.0

func (i *IdentityStore) MemDBEntityByID(entityID string, clone bool) (*identity.Entity, error)

func (*IdentityStore) MemDBEntityByIDInTxn added in v0.9.0

func (i *IdentityStore) MemDBEntityByIDInTxn(txn *memdb.Txn, entityID string, clone bool) (*identity.Entity, error)

func (*IdentityStore) MemDBEntityByMergedEntityID added in v0.9.0

func (i *IdentityStore) MemDBEntityByMergedEntityID(mergedEntityID string, clone bool) (*identity.Entity, error)

func (*IdentityStore) MemDBEntityByName added in v0.9.0

func (i *IdentityStore) MemDBEntityByName(ctx context.Context, entityName string, clone bool) (*identity.Entity, error)

func (*IdentityStore) MemDBEntityByNameInTxn added in v0.9.0

func (i *IdentityStore) MemDBEntityByNameInTxn(ctx context.Context, txn *memdb.Txn, entityName string, clone bool) (*identity.Entity, error)

func (*IdentityStore) MemDBGroupByAliasID added in v0.9.0

func (i *IdentityStore) MemDBGroupByAliasID(aliasID string, clone bool) (*identity.Group, error)

func (*IdentityStore) MemDBGroupByAliasIDInTxn added in v0.9.0

func (i *IdentityStore) MemDBGroupByAliasIDInTxn(txn *memdb.Txn, aliasID string, clone bool) (*identity.Group, error)

func (*IdentityStore) MemDBGroupByID added in v0.9.0

func (i *IdentityStore) MemDBGroupByID(groupID string, clone bool) (*identity.Group, error)

func (*IdentityStore) MemDBGroupByIDInTxn added in v0.9.0

func (i *IdentityStore) MemDBGroupByIDInTxn(txn *memdb.Txn, groupID string, clone bool) (*identity.Group, error)

func (*IdentityStore) MemDBGroupByName added in v0.9.0

func (i *IdentityStore) MemDBGroupByName(ctx context.Context, groupName string, clone bool) (*identity.Group, error)

func (*IdentityStore) MemDBGroupByNameInTxn added in v0.9.0

func (i *IdentityStore) MemDBGroupByNameInTxn(ctx context.Context, txn *memdb.Txn, groupName string, clone bool) (*identity.Group, error)

func (*IdentityStore) MemDBGroupsByBucketKeyInTxn added in v1.2.0

func (i *IdentityStore) MemDBGroupsByBucketKeyInTxn(txn *memdb.Txn, bucketKey string) ([]*identity.Group, error)

func (*IdentityStore) MemDBGroupsByMemberEntityID added in v0.9.0

func (i *IdentityStore) MemDBGroupsByMemberEntityID(entityID string, clone bool, externalOnly bool) ([]*identity.Group, error)

func (*IdentityStore) MemDBGroupsByMemberEntityIDInTxn added in v0.9.0

func (i *IdentityStore) MemDBGroupsByMemberEntityIDInTxn(txn *memdb.Txn, entityID string, clone bool, externalOnly bool) ([]*identity.Group, error)

func (*IdentityStore) MemDBGroupsByParentGroupID added in v0.9.0

func (i *IdentityStore) MemDBGroupsByParentGroupID(memberGroupID string, clone bool) ([]*identity.Group, error)

func (*IdentityStore) MemDBGroupsByParentGroupIDInTxn added in v0.9.0

func (i *IdentityStore) MemDBGroupsByParentGroupIDInTxn(txn *memdb.Txn, memberGroupID string, clone bool) ([]*identity.Group, error)

func (*IdentityStore) MemDBLocalAliasesByBucketKeyInTxn added in v1.9.0

func (i *IdentityStore) MemDBLocalAliasesByBucketKeyInTxn(txn *memdb.Txn, bucketKey string) ([]*identity.Alias, error)

func (*IdentityStore) MemDBUpsertAliasInTxn added in v0.9.0

func (i *IdentityStore) MemDBUpsertAliasInTxn(txn *memdb.Txn, alias *identity.Alias, groupAlias bool) error

func (*IdentityStore) MemDBUpsertEntityInTxn added in v0.9.0

func (i *IdentityStore) MemDBUpsertEntityInTxn(txn *memdb.Txn, entity *identity.Entity) error

func (*IdentityStore) MemDBUpsertGroupInTxn added in v0.9.0

func (i *IdentityStore) MemDBUpsertGroupInTxn(txn *memdb.Txn, group *identity.Group) error

func (*IdentityStore) UpsertGroup added in v0.9.0

func (i *IdentityStore) UpsertGroup(ctx context.Context, group *identity.Group, persist bool) error

func (*IdentityStore) UpsertGroupInTxn added in v0.10.4

func (i *IdentityStore) UpsertGroupInTxn(ctx context.Context, txn *memdb.Txn, group *identity.Group, persist bool) error

type InFlightReqData added in v1.10.0

type InFlightReqData struct {
	StartTime        time.Time `json:"start_time"`
	ClientRemoteAddr string    `json:"client_remote_address"`
	ReqPath          string    `json:"request_path"`
	Method           string    `json:"request_method"`
	ClientID         string    `json:"client_id"`
}

type InFlightRequests added in v1.10.0

type InFlightRequests struct {
	InFlightReqMap   *sync.Map
	InFlightReqCount *uberAtomic.Uint64
}

type InitParams added in v0.6.2

type InitParams struct {
	BarrierConfig   *SealConfig
	RecoveryConfig  *SealConfig
	RootTokenPGPKey string
	// LegacyShamirSeal should only be used in test code, we don't want to
	// give the user a way to create legacy shamir seals.
	LegacyShamirSeal bool
}

InitParams keeps the init function from being littered with too many params, that's it!

type InitResult

type InitResult struct {
	SecretShares   [][]byte
	RecoveryShares [][]byte
	RootToken      string
}

InitResult is used to provide the key parts back after they are generated as part of the initialization.

type InitializableBackend added in v1.2.0

type InitializableBackend struct {
	*NoopBackend
	// contains filtered or unexported fields
}

InitializableBackend is a backend that knows whether it has been initialized properly.

func (*InitializableBackend) Initialize added in v1.2.0

type Inspectable added in v1.13.0

type Inspectable interface {
	// Returns a record view of a particular subsystem
	GetRecords(tag string) ([]map[string]interface{}, error)
}

type Key added in v0.2.0

type Key struct {
	Term        uint32
	Version     int
	Value       []byte
	InstallTime time.Time
	Encryptions uint64 `json:"encryptions,omitempty"`
}

Key represents a single term, along with the key used.

func DeserializeKey added in v0.2.0

func DeserializeKey(buf []byte) (*Key, error)

DeserializeKey is used to deserialize and return a new key

func (*Key) Serialize added in v0.2.0

func (k *Key) Serialize() ([]byte, error)

Serialize is used to create a byte encoded key

type KeyInfo added in v0.2.0

type KeyInfo struct {
	Term        int
	InstallTime time.Time
	Encryptions int64
}

KeyInfo is used to convey information about the encryption key

type KeyRotationConfig added in v1.7.0

type KeyRotationConfig struct {
	Disabled      bool
	MaxOperations int64
	Interval      time.Duration
}

func (KeyRotationConfig) Clone added in v1.7.0

func (*KeyRotationConfig) Equals added in v1.7.0

func (c *KeyRotationConfig) Equals(config KeyRotationConfig) bool

func (*KeyRotationConfig) Sanitize added in v1.7.0

func (c *KeyRotationConfig) Sanitize()

type Keyring added in v0.2.0

type Keyring struct {
	// contains filtered or unexported fields
}

Keyring is used to manage multiple encryption keys used by the barrier. New keys can be installed and each has a sequential term. The term used to encrypt a key is prefixed to the key written out. All data is encrypted with the latest key, but storing the old keys allows for decryption of keys written previously. Along with the encryption keys, the keyring also tracks the root key. This is necessary so that when a new key is added to the keyring, we can encrypt with the root key and write out the new keyring.

func DeserializeKeyring added in v0.2.0

func DeserializeKeyring(buf []byte) (*Keyring, error)

DeserializeKeyring is used to deserialize and return a new keyring

func NewKeyring added in v0.2.0

func NewKeyring() *Keyring

NewKeyring creates a new keyring

func (*Keyring) ActiveKey added in v0.2.0

func (k *Keyring) ActiveKey() *Key

ActiveKey returns the active encryption key, or nil

func (*Keyring) ActiveTerm added in v0.2.0

func (k *Keyring) ActiveTerm() uint32

ActiveTerm returns the currently active term

func (*Keyring) AddKey added in v0.2.0

func (k *Keyring) AddKey(key *Key) (*Keyring, error)

AddKey adds a new key to the keyring

func (*Keyring) Clone added in v0.2.0

func (k *Keyring) Clone() *Keyring

Clone returns a new copy of the keyring

func (*Keyring) RemoveKey added in v0.2.0

func (k *Keyring) RemoveKey(term uint32) (*Keyring, error)

RemoveKey removes a key from the keyring

func (*Keyring) RootKey added in v1.10.0

func (k *Keyring) RootKey() []byte

RootKey returns the root key

func (*Keyring) Serialize added in v0.2.0

func (k *Keyring) Serialize() ([]byte, error)

Serialize is used to create a byte encoded keyring

func (*Keyring) SetRootKey added in v1.10.0

func (k *Keyring) SetRootKey(val []byte) *Keyring

SetRootKey is used to update the root key

func (*Keyring) TermKey added in v0.2.0

func (k *Keyring) TermKey(term uint32) *Key

TermKey returns the key for the given term, or nil

func (*Keyring) Zeroize added in v0.6.0

func (k *Keyring) Zeroize(keysToo bool)

N.B.: Since Go 1.5 these are not reliable; see the documentation around the memzero function. These are best-effort.

type LeaderResponse added in v1.6.2

type LeaderResponse struct {
	HAEnabled                bool      `json:"ha_enabled"`
	IsSelf                   bool      `json:"is_self"`
	ActiveTime               time.Time `json:"active_time,omitempty"`
	LeaderAddress            string    `json:"leader_address"`
	LeaderClusterAddress     string    `json:"leader_cluster_address"`
	PerfStandby              bool      `json:"performance_standby"`
	PerfStandbyLastRemoteWAL uint64    `json:"performance_standby_last_remote_wal"`
	LastWAL                  uint64    `json:"last_wal,omitempty"`

	// Raft Indexes for this node
	RaftCommittedIndex uint64 `json:"raft_committed_index,omitempty"`
	RaftAppliedIndex   uint64 `json:"raft_applied_index,omitempty"`
}

type LicenseState added in v1.8.0

type LicenseState struct {
	State      string
	ExpiryTime time.Time
	Terminated bool
}

type LicensingConfig added in v0.11.2

type LicensingConfig struct {
	AdditionalPublicKeys []interface{}
}

type ListenerCustomHeaders added in v1.9.0

type ListenerCustomHeaders struct {
	Address             string
	StatusCodeHeaderMap map[string][]*logical.CustomHeader
	// contains filtered or unexported fields
}

func NewListenerCustomHeader added in v1.9.0

func NewListenerCustomHeader(ln []*configutil.Listener, logger log.Logger, uiHeaders http.Header) []*ListenerCustomHeaders

func (*ListenerCustomHeaders) ExistCustomResponseHeader added in v1.9.0

func (l *ListenerCustomHeaders) ExistCustomResponseHeader(header string) bool

type ListingVisibilityType added in v0.10.2

type ListingVisibilityType string

ListingVisibilityType represents the types for listing visibility

const (
	// ListingVisibilityDefault is the default value for listing visibility
	ListingVisibilityDefault ListingVisibilityType = ""
	// ListingVisibilityHidden is the hidden type for listing visibility
	ListingVisibilityHidden ListingVisibilityType = "hidden"
	// ListingVisibilityUnauth is the unauth type for listing visibility
	ListingVisibilityUnauth ListingVisibilityType = "unauth"

	MountTableUpdateStorage   = true
	MountTableNoUpdateStorage = false
)

type LocalNode added in v1.9.0

type LocalNode interface {
	ReplicationState() consts.ReplicationState
	HAState() consts.HAState
}

type LockedUsersResponse added in v1.13.0

type LockedUsersResponse struct {
	NamespaceID    string                    `json:"namespace_id" mapstructure:"namespace_id"`
	NamespacePath  string                    `json:"namespace_path" mapstructure:"namespace_path"`
	Counts         int                       `json:"counts" mapstructure:"counts"`
	MountAccessors []*ResponseMountAccessors `json:"mount_accessors" mapstructure:"mount_accessors"`
}

type LoginMFABackend added in v1.10.0

type LoginMFABackend struct {
	*MFABackend
}

func NewLoginMFABackend added in v1.10.0

func NewLoginMFABackend(core *Core, logger hclog.Logger) *LoginMFABackend

func (*LoginMFABackend) MemDBDeleteMFAConfigByID added in v1.10.0

func (b *LoginMFABackend) MemDBDeleteMFAConfigByID(methodId, tableName string) error

func (*LoginMFABackend) MemDBDeleteMFAConfigByIDInTxn added in v1.10.0

func (b *LoginMFABackend) MemDBDeleteMFAConfigByIDInTxn(txn *memdb.Txn, configID string) error

func (*LoginMFABackend) MemDBDeleteMFALoginEnforcementConfigByNameAndNamespace added in v1.10.0

func (b *LoginMFABackend) MemDBDeleteMFALoginEnforcementConfigByNameAndNamespace(name, namespaceId, tableName string) error

func (*LoginMFABackend) MemDBMFAConfigByID added in v1.10.0

func (b *LoginMFABackend) MemDBMFAConfigByID(mConfigID string) (*mfa.Config, error)

func (*LoginMFABackend) MemDBMFAConfigByIDInTxn added in v1.10.0

func (b *LoginMFABackend) MemDBMFAConfigByIDInTxn(txn *memdb.Txn, mConfigID string) (*mfa.Config, error)

func (*LoginMFABackend) MemDBMFAConfigByName added in v1.13.0

func (b *LoginMFABackend) MemDBMFAConfigByName(ctx context.Context, name string) (*mfa.Config, error)

func (*LoginMFABackend) MemDBMFAConfigByNameInTxn added in v1.13.0

func (b *LoginMFABackend) MemDBMFAConfigByNameInTxn(ctx context.Context, txn *memdb.Txn, mConfigName string) (*mfa.Config, error)

func (*LoginMFABackend) MemDBMFALoginEnforcementConfigByNameAndNamespace added in v1.10.0

func (b *LoginMFABackend) MemDBMFALoginEnforcementConfigByNameAndNamespace(name, namespaceId string) (*mfa.MFAEnforcementConfig, error)

func (*LoginMFABackend) MemDBMFALoginEnforcementConfigIterator added in v1.10.0

func (b *LoginMFABackend) MemDBMFALoginEnforcementConfigIterator() (memdb.ResultIterator, error)

func (*LoginMFABackend) MemDBUpsertMFALoginEnforcementConfig added in v1.10.0

func (b *LoginMFABackend) MemDBUpsertMFALoginEnforcementConfig(ctx context.Context, eConfig *mfa.MFAEnforcementConfig) error

func (*LoginMFABackend) ResetLoginMFAMemDB added in v1.10.3

func (b *LoginMFABackend) ResetLoginMFAMemDB() error

type LoginMFAPriorityQueue added in v1.10.0

type LoginMFAPriorityQueue struct {
	// contains filtered or unexported fields
}

func NewLoginMFAPriorityQueue added in v1.10.0

func NewLoginMFAPriorityQueue() *LoginMFAPriorityQueue

NewLoginMFAPriorityQueue initializes the internal data structures and returns a new PriorityQueue

func (*LoginMFAPriorityQueue) Len added in v1.10.0

func (pq *LoginMFAPriorityQueue) Len() int

Len returns the count of items in the Priority Queue

func (*LoginMFAPriorityQueue) PopByKey added in v1.10.0

func (pq *LoginMFAPriorityQueue) PopByKey(reqID string) (*MFACachedAuthResponse, error)

PopByKey searches the queue for an item with the given key and removes it from the queue if found. Returns nil if not found.

func (*LoginMFAPriorityQueue) Push added in v1.10.0

Push pushes an item on to the queue. This is a wrapper/convenience method that calls heap.Push, so consumers do not need to invoke heap functions directly. Items must have unique Keys, and Items in the queue cannot be updated. To modify an Item, users must first remove it and re-push it after modifications

func (*LoginMFAPriorityQueue) RemoveExpiredMfaAuthResponse added in v1.10.0

func (pq *LoginMFAPriorityQueue) RemoveExpiredMfaAuthResponse(expiryTime time.Duration, cutoffTime time.Time) error

RemoveExpiredMfaAuthResponse pops elements of the queue and check if the entry has expired or not. If the entry has not expired, it pushes back the entry to the queue. It returns false if there is no expired element left to be removed, true otherwise. cutoffTime should normally be time.Now() except for tests.

type MFABackend added in v1.10.0

type MFABackend struct {
	Core *Core
	// contains filtered or unexported fields
}

func NewMFABackend added in v1.10.0

func NewMFABackend(core *Core, logger hclog.Logger, prefix string, schemaFuncs []func() *memdb.TableSchema) *MFABackend

func (*MFABackend) MemDBUpsertMFAConfig added in v1.10.0

func (b *MFABackend) MemDBUpsertMFAConfig(ctx context.Context, mConfig *mfa.Config) error

func (*MFABackend) MemDBUpsertMFAConfigInTxn added in v1.10.0

func (b *MFABackend) MemDBUpsertMFAConfigInTxn(txn *memdb.Txn, mConfig *mfa.Config) error

type MFACachedAuthResponse added in v1.10.0

type MFACachedAuthResponse struct {
	CachedAuth            *logical.Auth
	RequestPath           string
	RequestNSID           string
	RequestNSPath         string
	RequestConnRemoteAddr string
	TimeOfStorage         time.Time
	RequestID             string
}

type MFAFactor added in v1.13.0

type MFAFactor struct {
	// contains filtered or unexported fields
}

type MountConfig added in v0.3.0

type MountConfig struct {
	DefaultLeaseTTL           time.Duration         `json:"default_lease_ttl,omitempty" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` // Override for global default
	MaxLeaseTTL               time.Duration         `json:"max_lease_ttl,omitempty" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`             // Override for global default
	ForceNoCache              bool                  `json:"force_no_cache,omitempty" structs:"force_no_cache" mapstructure:"force_no_cache"`          // Override for global default
	AuditNonHMACRequestKeys   []string              `json:"audit_non_hmac_request_keys,omitempty" structs:"audit_non_hmac_request_keys" mapstructure:"audit_non_hmac_request_keys"`
	AuditNonHMACResponseKeys  []string              `` /* 128-byte string literal not displayed */
	ListingVisibility         ListingVisibilityType `json:"listing_visibility,omitempty" structs:"listing_visibility" mapstructure:"listing_visibility"`
	PassthroughRequestHeaders []string              `json:"passthrough_request_headers,omitempty" structs:"passthrough_request_headers" mapstructure:"passthrough_request_headers"`
	AllowedResponseHeaders    []string              `json:"allowed_response_headers,omitempty" structs:"allowed_response_headers" mapstructure:"allowed_response_headers"`
	TokenType                 logical.TokenType     `json:"token_type,omitempty" structs:"token_type" mapstructure:"token_type"`
	AllowedManagedKeys        []string              `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
	UserLockoutConfig         *UserLockoutConfig    `json:"user_lockout_config,omitempty" mapstructure:"user_lockout_config"`

	// PluginName is the name of the plugin registered in the catalog.
	//
	// Deprecated: MountEntry.Type should be used instead for Vault 1.0.0 and beyond.
	PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
}

MountConfig is used to hold settable options

type MountEntry

type MountEntry struct {
	Table                 string            `json:"table"`                             // The table it belongs to
	Path                  string            `json:"path"`                              // Mount Path
	Type                  string            `json:"type"`                              // Logical backend Type. NB: This is the plugin name, e.g. my-vault-plugin, NOT plugin type (e.g. auth).
	Description           string            `json:"description"`                       // User-provided description
	UUID                  string            `json:"uuid"`                              // Barrier view UUID
	BackendAwareUUID      string            `json:"backend_aware_uuid"`                // UUID that can be used by the backend as a helper when a consistent value is needed outside of storage.
	Accessor              string            `json:"accessor"`                          // Unique but more human-friendly ID. Does not change, not used for any sensitive things (like as a salt, which the UUID sometimes is).
	Config                MountConfig       `json:"config"`                            // Configuration related to this mount (but not backend-derived)
	Options               map[string]string `json:"options"`                           // Backend options
	Local                 bool              `json:"local"`                             // Local mounts are not replicated or affected by replication
	SealWrap              bool              `json:"seal_wrap"`                         // Whether to wrap CSPs
	ExternalEntropyAccess bool              `json:"external_entropy_access,omitempty"` // Whether to allow external entropy source access
	Tainted               bool              `json:"tainted,omitempty"`                 // Set as a Write-Ahead flag for unmount/remount
	MountState            string            `json:"mount_state,omitempty"`             // The current mount state.  The only non-empty mount state right now is "unmounting"
	NamespaceID           string            `json:"namespace_id"`

	// version info
	Version        string `json:"plugin_version,omitempty"`         // The semantic version of the mounted plugin, e.g. v1.2.3.
	RunningVersion string `json:"running_plugin_version,omitempty"` // The semantic version of the mounted plugin as reported by the plugin.
	RunningSha256  string `json:"running_sha256,omitempty"`
	// contains filtered or unexported fields
}

MountEntry is used to represent a mount table entry

func (*MountEntry) APIPath added in v0.11.2

func (e *MountEntry) APIPath() string

APIPath returns the full API Path for the given mount entry

func (*MountEntry) APIPathNoNamespace added in v1.12.0

func (e *MountEntry) APIPathNoNamespace() string

APIPathNoNamespace returns the API Path without the namespace for the given mount entry

func (*MountEntry) Clone

func (e *MountEntry) Clone() (*MountEntry, error)

Clone returns a deep copy of the mount entry

func (*MountEntry) Deserialize added in v1.13.0

func (entry *MountEntry) Deserialize() map[string]interface{}

func (*MountEntry) Namespace added in v0.11.2

func (e *MountEntry) Namespace() *namespace.Namespace

Namespace returns the namespace for the mount entry

func (*MountEntry) SyncCache added in v0.9.6

func (e *MountEntry) SyncCache()

SyncCache syncs tunable configuration values to the cache. In the case of cached values, they should be retrieved via synthesizedConfigCache.Load() instead of accessing them directly through MountConfig.

func (*MountEntry) ViewPath added in v0.11.2

func (e *MountEntry) ViewPath() string

ViewPath returns storage prefix for the view

type MountMigrationInfo added in v1.10.0

type MountMigrationInfo struct {
	SourceMount     string `json:"source_mount"`
	TargetMount     string `json:"target_mount"`
	MigrationStatus string `json:"status"`
}

type MountMigrationStatus added in v1.10.0

type MountMigrationStatus int
const (
	MigrationInProgressStatus MountMigrationStatus = iota
	MigrationSuccessStatus
	MigrationFailureStatus
)

func (MountMigrationStatus) String added in v1.10.0

func (m MountMigrationStatus) String() string

type MountTable

type MountTable struct {
	Type    string        `json:"type"`
	Entries []*MountEntry `json:"entries"`
}

MountTable is used to represent the internal mount table

type Namespacer added in v1.9.0

type Namespacer interface {
	NamespaceByID(context.Context, string) (*namespace.Namespace, error)
	ListNamespaces(includePath bool) []*namespace.Namespace
}

type NodeInformation added in v1.5.0

type NodeInformation struct {
	ClusterAddr      string `protobuf:"bytes,1,opt,name=cluster_addr,json=clusterAddr,proto3" json:"cluster_addr,omitempty"`
	ApiAddr          string `protobuf:"bytes,2,opt,name=api_addr,json=apiAddr,proto3" json:"api_addr,omitempty"`
	Mode             string `protobuf:"bytes,3,opt,name=mode,proto3" json:"mode,omitempty"`
	NodeID           string `protobuf:"bytes,4,opt,name=node_id,json=nodeId,proto3" json:"node_id,omitempty"`
	ReplicationState uint32 `protobuf:"varint,5,opt,name=replication_state,json=replicationState,proto3" json:"replication_state,omitempty"`
	Hostname         string `protobuf:"bytes,6,opt,name=hostname,proto3" json:"hostname,omitempty"`
	// contains filtered or unexported fields
}

func (*NodeInformation) Descriptor deprecated added in v1.5.0

func (*NodeInformation) Descriptor() ([]byte, []int)

Deprecated: Use NodeInformation.ProtoReflect.Descriptor instead.

func (*NodeInformation) GetApiAddr added in v1.5.0

func (x *NodeInformation) GetApiAddr() string

func (*NodeInformation) GetClusterAddr added in v1.5.0

func (x *NodeInformation) GetClusterAddr() string

func (*NodeInformation) GetHostname added in v1.10.0

func (x *NodeInformation) GetHostname() string

func (*NodeInformation) GetMode added in v1.5.0

func (x *NodeInformation) GetMode() string

func (*NodeInformation) GetNodeID added in v1.5.0

func (x *NodeInformation) GetNodeID() string

func (*NodeInformation) GetReplicationState added in v1.5.0

func (x *NodeInformation) GetReplicationState() uint32

func (*NodeInformation) ProtoMessage added in v1.5.0

func (*NodeInformation) ProtoMessage()

func (*NodeInformation) ProtoReflect added in v1.5.0

func (x *NodeInformation) ProtoReflect() protoreflect.Message

func (*NodeInformation) Reset added in v1.5.0

func (x *NodeInformation) Reset()

func (*NodeInformation) String added in v1.5.0

func (x *NodeInformation) String() string

type NonFatalError added in v0.6.0

type NonFatalError struct {
	Err error
}

NonFatalError is an error that can be returned during NewCore that should be displayed but not cause a program exit

func NewNonFatalError added in v1.0.3

func NewNonFatalError(err error) *NonFatalError

NewNonFatalError returns a new non-fatal error.

func (*NonFatalError) Error added in v0.6.0

func (e *NonFatalError) Error() string

func (*NonFatalError) WrappedErrors added in v0.6.0

func (e *NonFatalError) WrappedErrors() []error

type NoopBackend added in v1.1.4

type NoopBackend struct {
	sync.Mutex

	Root            []string
	Login           []string
	Paths           []string
	Requests        []*logical.Request
	Response        *logical.Response
	RequestHandler  RouterTestHandlerFunc
	Invalidations   []string
	DefaultLeaseTTL time.Duration
	MaxLeaseTTL     time.Duration
	BackendType     logical.BackendType

	RollbackErrs bool
}

func (*NoopBackend) Cleanup added in v1.1.4

func (n *NoopBackend) Cleanup(ctx context.Context)

func (*NoopBackend) HandleExistenceCheck added in v1.1.4

func (n *NoopBackend) HandleExistenceCheck(ctx context.Context, req *logical.Request) (bool, bool, error)

func (*NoopBackend) HandleRequest added in v1.1.4

func (n *NoopBackend) HandleRequest(ctx context.Context, req *logical.Request) (*logical.Response, error)

func (*NoopBackend) Initialize added in v1.1.4

func (n *NoopBackend) Initialize(ctx context.Context, req *logical.InitializationRequest) error

func (*NoopBackend) InvalidateKey added in v1.1.4

func (n *NoopBackend) InvalidateKey(ctx context.Context, k string)

func (*NoopBackend) Logger added in v1.1.4

func (n *NoopBackend) Logger() log.Logger

func (*NoopBackend) Setup added in v1.1.4

func (n *NoopBackend) Setup(ctx context.Context, config *logical.BackendConfig) error

func (*NoopBackend) SpecialPaths added in v1.1.4

func (n *NoopBackend) SpecialPaths() *logical.Paths

func (*NoopBackend) System added in v1.1.4

func (n *NoopBackend) System() logical.SystemView

func (*NoopBackend) Type added in v1.1.4

func (n *NoopBackend) Type() logical.BackendType

type PassthroughBackend

type PassthroughBackend struct {
	*framework.Backend
	// contains filtered or unexported fields
}

PassthroughBackend is used storing secrets directly into the physical backend. The secrets are encrypted in the durable storage and custom TTL information can be specified, but otherwise this backend doesn't do anything fancy.

func (*PassthroughBackend) GeneratesLeases added in v0.3.0

func (b *PassthroughBackend) GeneratesLeases() bool

type PathRules added in v0.9.0

type PathRules struct {
	Path                string
	Policy              string
	Permissions         *ACLPermissions
	IsPrefix            bool
	HasSegmentWildcards bool
	Capabilities        []string

	// These keys are used at the top level to make the HCL nicer; we store in
	// the ACLPermissions object though
	MinWrappingTTLHCL     interface{}              `hcl:"min_wrapping_ttl"`
	MaxWrappingTTLHCL     interface{}              `hcl:"max_wrapping_ttl"`
	AllowedParametersHCL  map[string][]interface{} `hcl:"allowed_parameters"`
	DeniedParametersHCL   map[string][]interface{} `hcl:"denied_parameters"`
	RequiredParametersHCL []string                 `hcl:"required_parameters"`
	MFAMethodsHCL         []string                 `hcl:"mfa_methods"`
	ControlGroupHCL       *ControlGroupHCL         `hcl:"control_group"`
}

PathRules represents a policy for a path in the namespace.

type PeerNode added in v1.10.0

type PeerNode struct {
	Hostname       string    `json:"hostname"`
	APIAddress     string    `json:"api_address"`
	ClusterAddress string    `json:"cluster_address"`
	Version        string    `json:"version"`
	LastEcho       time.Time `json:"last_echo"`
	UpgradeVersion string    `json:"upgrade_version,omitempty"`
	RedundancyZone string    `json:"redundancy_zone,omitempty"`
}

type PerfStandbyElectionInput added in v0.11.2

type PerfStandbyElectionInput struct {
	// contains filtered or unexported fields
}

func (*PerfStandbyElectionInput) Descriptor deprecated added in v0.11.2

func (*PerfStandbyElectionInput) Descriptor() ([]byte, []int)

Deprecated: Use PerfStandbyElectionInput.ProtoReflect.Descriptor instead.

func (*PerfStandbyElectionInput) ProtoMessage added in v0.11.2

func (*PerfStandbyElectionInput) ProtoMessage()

func (*PerfStandbyElectionInput) ProtoReflect added in v1.5.0

func (x *PerfStandbyElectionInput) ProtoReflect() protoreflect.Message

func (*PerfStandbyElectionInput) Reset added in v0.11.2

func (x *PerfStandbyElectionInput) Reset()

func (*PerfStandbyElectionInput) String added in v0.11.2

func (x *PerfStandbyElectionInput) String() string

type PerfStandbyElectionResponse added in v0.11.2

type PerfStandbyElectionResponse struct {
	ID                 string     `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	ClusterID          string     `protobuf:"bytes,2,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"`
	PrimaryClusterAddr string     `protobuf:"bytes,3,opt,name=primary_cluster_addr,json=primaryClusterAddr,proto3" json:"primary_cluster_addr,omitempty"`
	CaCert             []byte     `protobuf:"bytes,4,opt,name=ca_cert,json=caCert,proto3" json:"ca_cert,omitempty"`
	ClientCert         []byte     `protobuf:"bytes,5,opt,name=client_cert,json=clientCert,proto3" json:"client_cert,omitempty"`
	ClientKey          *ClientKey `protobuf:"bytes,6,opt,name=client_key,json=clientKey,proto3" json:"client_key,omitempty"`
	// contains filtered or unexported fields
}

func (*PerfStandbyElectionResponse) Descriptor deprecated added in v0.11.2

func (*PerfStandbyElectionResponse) Descriptor() ([]byte, []int)

Deprecated: Use PerfStandbyElectionResponse.ProtoReflect.Descriptor instead.

func (*PerfStandbyElectionResponse) GetCaCert added in v0.11.2

func (x *PerfStandbyElectionResponse) GetCaCert() []byte

func (*PerfStandbyElectionResponse) GetClientCert added in v0.11.2

func (x *PerfStandbyElectionResponse) GetClientCert() []byte

func (*PerfStandbyElectionResponse) GetClientKey added in v0.11.2

func (x *PerfStandbyElectionResponse) GetClientKey() *ClientKey

func (*PerfStandbyElectionResponse) GetClusterID added in v1.2.0

func (x *PerfStandbyElectionResponse) GetClusterID() string

func (*PerfStandbyElectionResponse) GetID added in v1.2.0

func (*PerfStandbyElectionResponse) GetPrimaryClusterAddr added in v0.11.2

func (x *PerfStandbyElectionResponse) GetPrimaryClusterAddr() string

func (*PerfStandbyElectionResponse) ProtoMessage added in v0.11.2

func (*PerfStandbyElectionResponse) ProtoMessage()

func (*PerfStandbyElectionResponse) ProtoReflect added in v1.5.0

func (*PerfStandbyElectionResponse) Reset added in v0.11.2

func (x *PerfStandbyElectionResponse) Reset()

func (*PerfStandbyElectionResponse) String added in v0.11.2

func (x *PerfStandbyElectionResponse) String() string

type PhysicalBackendBundle added in v1.3.0

type PhysicalBackendBundle struct {
	Backend   physical.Backend
	HABackend physical.HABackend
	Cleanup   func()
}

type PluginCatalog added in v0.7.1

type PluginCatalog struct {
	// contains filtered or unexported fields
}

PluginCatalog keeps a record of plugins known to vault. External plugins need to be registered to the catalog before they can be used in backends. Builtin plugins are automatically detected and included in the catalog.

func (*PluginCatalog) Delete added in v0.7.1

func (c *PluginCatalog) Delete(ctx context.Context, name string, pluginType consts.PluginType, pluginVersion string) error

Delete is used to remove an external plugin from the catalog. Builtin plugins can not be deleted.

func (*PluginCatalog) Get added in v0.7.1

func (c *PluginCatalog) Get(ctx context.Context, name string, pluginType consts.PluginType, version string) (*pluginutil.PluginRunner, error)

Get retrieves a plugin with the specified name from the catalog. It first looks for external plugins with this name and then looks for builtin plugins. It returns a PluginRunner or an error if no plugin was found.

func (*PluginCatalog) List added in v0.7.1

func (c *PluginCatalog) List(ctx context.Context, pluginType consts.PluginType) ([]string, error)

List returns a list of all the known plugin names. If an external and builtin plugin share the same name, only one instance of the name will be returned.

func (*PluginCatalog) ListVersionedPlugins added in v1.12.0

func (c *PluginCatalog) ListVersionedPlugins(ctx context.Context, pluginType consts.PluginType) ([]pluginutil.VersionedPlugin, error)

func (*PluginCatalog) NewPluginClient added in v1.10.0

func (c *PluginCatalog) NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (*pluginClient, error)

NewPluginClient returns a client for managing the lifecycle of a plugin process

func (*PluginCatalog) Set added in v0.7.1

func (c *PluginCatalog) Set(ctx context.Context, name string, pluginType consts.PluginType, version string, command string, args []string, env []string, sha256 []byte) error

Set registers a new external plugin with the catalog, or updates an existing external plugin. It takes the name, command and SHA256 of the plugin.

func (*PluginCatalog) UpgradePlugins added in v1.0.0

func (c *PluginCatalog) UpgradePlugins(ctx context.Context, logger log.Logger) error

UpdatePlugins will loop over all the plugins of unknown type and attempt to upgrade them to typed plugins

type Policy

type Policy struct {
	Name      string       `hcl:"name"`
	Paths     []*PathRules `hcl:"-"`
	Raw       string
	Type      PolicyType
	Templated bool
	// contains filtered or unexported fields
}

Policy is used to represent the policy specified by an ACL configuration.

func ParseACLPolicy added in v0.9.0

func ParseACLPolicy(ns *namespace.Namespace, rules string) (*Policy, error)

ParseACLPolicy is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

func (*Policy) ShallowClone added in v0.11.2

func (p *Policy) ShallowClone() *Policy

ShallowClone returns a shallow clone of the policy. This should not be used if any of the reference-typed fields are going to be modified

type PolicyCheckOpts added in v0.9.0

type PolicyCheckOpts struct {
	RootPrivsRequired bool
	Unauth            bool
}

type PolicyEntry added in v0.2.0

type PolicyEntry struct {
	Version   int
	Raw       string
	Templated bool
	Type      PolicyType
	// contains filtered or unexported fields
}

PolicyEntry is used to store a policy by name

type PolicyMFABackend added in v1.10.0

type PolicyMFABackend struct {
	*MFABackend
}

func NewPolicyMFABackend added in v1.10.0

func NewPolicyMFABackend(core *Core, logger hclog.Logger) *PolicyMFABackend

type PolicyStore

type PolicyStore struct {
	// contains filtered or unexported fields
}

PolicyStore is used to provide durable storage of policy, and to manage ACLs associated with them.

func NewPolicyStore

func NewPolicyStore(ctx context.Context, core *Core, baseView *BarrierView, system logical.SystemView, logger log.Logger) (*PolicyStore, error)

NewPolicyStore creates a new PolicyStore that is backed using a given view. It used used to durable store and manage named policy.

func (*PolicyStore) ACL

func (ps *PolicyStore) ACL(ctx context.Context, entity *identity.Entity, policyNames map[string][]string, additionalPolicies ...*Policy) (*ACL, error)

ACL is used to return an ACL which is built using the named policies and pre-fetched policies if given.

func (*PolicyStore) DeletePolicy

func (ps *PolicyStore) DeletePolicy(ctx context.Context, name string, policyType PolicyType) error

DeletePolicy is used to delete the named policy

func (*PolicyStore) GetNonEGPPolicyType added in v1.13.8

func (ps *PolicyStore) GetNonEGPPolicyType(nsID string, name string) (*PolicyType, error)

GetNonEGPPolicyType returns a policy's type. It will return an error if the policy doesn't exist in the store or isn't an ACL or a Sentinel Role Governing Policy (RGP).

Note: Sentinel Endpoint Governing Policies (EGPs) are not stored within the policyTypeMap. We sometimes need to distinguish between ACLs and RGPs due to them both being token policies, but the logic related to EGPs is separate enough that it is never necessary to look up their type.

func (*PolicyStore) GetPolicy

func (ps *PolicyStore) GetPolicy(ctx context.Context, name string, policyType PolicyType) (*Policy, error)

GetPolicy is used to fetch the named policy

func (*PolicyStore) ListPolicies

func (ps *PolicyStore) ListPolicies(ctx context.Context, policyType PolicyType) ([]string, error)

ListPolicies is used to list the available policies

func (*PolicyStore) SetPolicy

func (ps *PolicyStore) SetPolicy(ctx context.Context, p *Policy) error

SetPolicy is used to create or update the given policy

type PolicyType added in v0.9.0

type PolicyType uint32
const (
	PolicyTypeACL PolicyType = iota
	PolicyTypeRGP
	PolicyTypeEGP

	// Triggers a lookup in the map to figure out if ACL or RGP
	PolicyTypeToken
)

func (PolicyType) String added in v0.9.0

func (p PolicyType) String() string

type RawBackend added in v1.3.0

type RawBackend struct {
	*framework.Backend
	// contains filtered or unexported fields
}

func NewRawBackend added in v1.3.0

func NewRawBackend(core *Core) *RawBackend

type RegisterAuthFunc added in v0.11.2

type RegisterAuthFunc func(context.Context, time.Duration, string, *logical.Auth, string) error

type RekeyBackup added in v0.5.0

type RekeyBackup struct {
	Nonce string
	Keys  map[string][]string
}

RekeyBackup stores the backup copy of PGP-encrypted keys

type RekeyResult added in v0.2.0

type RekeyResult struct {
	SecretShares         [][]byte
	PGPFingerprints      []string
	Backup               bool
	RecoveryKey          bool
	VerificationRequired bool
	VerificationNonce    string
}

RekeyResult is used to provide the key parts back after they are generated as part of the rekey.

type RekeyVerifyResult added in v0.10.2

type RekeyVerifyResult struct {
	Complete bool
	Nonce    string
}

type ReplicationTokenInfo added in v0.11.2

type ReplicationTokenInfo struct{}

type RequestForwardingClient added in v0.6.1

type RequestForwardingClient interface {
	ForwardRequest(ctx context.Context, in *forwarding.Request, opts ...grpc.CallOption) (*forwarding.Response, error)
	Echo(ctx context.Context, in *EchoRequest, opts ...grpc.CallOption) (*EchoReply, error)
	PerformanceStandbyElectionRequest(ctx context.Context, in *PerfStandbyElectionInput, opts ...grpc.CallOption) (RequestForwarding_PerformanceStandbyElectionRequestClient, error)
}

RequestForwardingClient is the client API for RequestForwarding service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

func NewRequestForwardingClient added in v0.6.1

func NewRequestForwardingClient(cc grpc.ClientConnInterface) RequestForwardingClient

type RequestForwardingServer added in v0.6.1

type RequestForwardingServer interface {
	ForwardRequest(context.Context, *forwarding.Request) (*forwarding.Response, error)
	Echo(context.Context, *EchoRequest) (*EchoReply, error)
	PerformanceStandbyElectionRequest(*PerfStandbyElectionInput, RequestForwarding_PerformanceStandbyElectionRequestServer) error
	// contains filtered or unexported methods
}

RequestForwardingServer is the server API for RequestForwarding service. All implementations must embed UnimplementedRequestForwardingServer for forward compatibility

type RequestForwarding_PerformanceStandbyElectionRequestClient added in v0.11.2

type RequestForwarding_PerformanceStandbyElectionRequestClient interface {
	Recv() (*PerfStandbyElectionResponse, error)
	grpc.ClientStream
}

type RequestForwarding_PerformanceStandbyElectionRequestServer added in v0.11.2

type RequestForwarding_PerformanceStandbyElectionRequestServer interface {
	Send(*PerfStandbyElectionResponse) error
	grpc.ServerStream
}

type ResponseCounts added in v1.10.0

type ResponseCounts struct {
	DistinctEntities int `json:"distinct_entities"`
	EntityClients    int `json:"entity_clients"`
	NonEntityTokens  int `json:"non_entity_tokens"`
	NonEntityClients int `json:"non_entity_clients"`
	Clients          int `json:"clients"`
}

type ResponseMonth added in v1.10.0

type ResponseMonth struct {
	Timestamp  string               `json:"timestamp"`
	Counts     *ResponseCounts      `json:"counts"`
	Namespaces []*ResponseNamespace `json:"namespaces"`
	NewClients *ResponseNewClients  `json:"new_clients" mapstructure:"new_clients"`
}

type ResponseMount added in v1.10.0

type ResponseMount struct {
	MountPath string          `json:"mount_path"`
	Counts    *ResponseCounts `json:"counts"`
}

type ResponseMountAccessors added in v1.13.0

type ResponseMountAccessors struct {
	MountAccessor    string   `json:"mount_accessor" mapstructure:"mount_accessor"`
	Counts           int      `json:"counts" mapstructure:"counts"`
	AliasIdentifiers []string `json:"alias_identifiers" mapstructure:"alias_identifiers"`
}

type ResponseNamespace added in v1.10.0

type ResponseNamespace struct {
	NamespaceID   string           `json:"namespace_id"`
	NamespacePath string           `json:"namespace_path"`
	Counts        ResponseCounts   `json:"counts"`
	Mounts        []*ResponseMount `json:"mounts"`
}

type ResponseNewClients added in v1.10.0

type ResponseNewClients struct {
	Counts     *ResponseCounts      `json:"counts"`
	Namespaces []*ResponseNamespace `json:"namespaces"`
}

type RollbackManager

type RollbackManager struct {
	// contains filtered or unexported fields
}

RollbackManager is responsible for performing rollbacks of partial secrets within logical backends.

During normal operations, it is possible for logical backends to error partially through an operation. These are called "partial secrets": they are never sent back to a user, but they do need to be cleaned up. This manager handles that by periodically (on a timer) requesting that the backends clean up.

The RollbackManager periodically initiates a logical.RollbackOperation on every mounted logical backend. It ensures that only one rollback operation is in-flight at any given time within a single seal/unseal phase.

func NewRollbackManager

func NewRollbackManager(ctx context.Context, logger log.Logger, backendsFunc func() []*MountEntry, router *Router, core *Core) *RollbackManager

NewRollbackManager is used to create a new rollback manager

func (*RollbackManager) Rollback

func (m *RollbackManager) Rollback(ctx context.Context, path string) error

Rollback is used to trigger an immediate rollback of the path, or to join an existing rollback operation if in flight. Caller should have core's statelock held (write OR read). If an already inflight rollback is happening this function will simply wait for it to complete

func (*RollbackManager) Start

func (m *RollbackManager) Start()

Start starts the rollback manager

func (*RollbackManager) Stop

func (m *RollbackManager) Stop()

Stop stops the running manager. This will wait for any in-flight rollbacks to complete.

func (*RollbackManager) StopTicker added in v1.13.2

func (m *RollbackManager) StopTicker()

StopTicker stops the automatic Rollback manager's ticker, causing us to not do automatic rollbacks. This is useful for testing plugin's periodic function's behavior, without trying to race against the rollback manager proper.

THIS SHOULD ONLY BE CALLED FROM TEST HELPERS.

type Router

type Router struct {
	// contains filtered or unexported fields
}

Router is used to do prefix based routing of a request to a logical backend

func NewRouter

func NewRouter() *Router

NewRouter returns a new router

func (*Router) GetRecords added in v1.13.0

func (r *Router) GetRecords(tag string) ([]map[string]interface{}, error)

func (*Router) LoginPath

func (r *Router) LoginPath(ctx context.Context, path string) bool

LoginPath checks if the given path is used for logins Matching Priority

  1. prefix
  2. exact
  3. wildcard

func (*Router) MatchingAPIPrefixByStoragePath added in v0.11.2

func (r *Router) MatchingAPIPrefixByStoragePath(ctx context.Context, path string) (*namespace.Namespace, string, string, bool)

MatchingAPIPrefixByStoragePath the api path information for the given storage path

func (*Router) MatchingBackend added in v0.3.0

func (r *Router) MatchingBackend(ctx context.Context, path string) logical.Backend

MatchingBackend returns the backend used for a path

func (*Router) MatchingMount

func (r *Router) MatchingMount(ctx context.Context, path string) string

MatchingMount returns the mount prefix that would be used for a path

func (*Router) MatchingMountByAPIPath added in v1.5.0

func (r *Router) MatchingMountByAPIPath(ctx context.Context, path string) string

func (*Router) MatchingMountByAccessor added in v0.8.0

func (r *Router) MatchingMountByAccessor(mountAccessor string) *MountEntry

MatchingMountByAccessor returns the MountEntry by accessor lookup

func (*Router) MatchingMountByUUID added in v0.8.0

func (r *Router) MatchingMountByUUID(mountID string) *MountEntry

func (*Router) MatchingMountEntry added in v0.3.0

func (r *Router) MatchingMountEntry(ctx context.Context, path string) *MountEntry

MatchingMountEntry returns the MountEntry used for a path

func (*Router) MatchingStorageByAPIPath added in v0.9.0

func (r *Router) MatchingStorageByAPIPath(ctx context.Context, path string) logical.Storage

MatchingStorageByAPIPath/StoragePath returns the storage used for API/Storage paths respectively

func (*Router) MatchingStorageByStoragePath added in v0.9.0

func (r *Router) MatchingStorageByStoragePath(ctx context.Context, path string) logical.Storage

func (*Router) MatchingStoragePrefixByAPIPath added in v0.9.0

func (r *Router) MatchingStoragePrefixByAPIPath(ctx context.Context, path string) (string, bool)

MatchingStoragePrefixByAPIPath the storage prefix for the given api path

func (*Router) MatchingSystemView added in v0.3.0

func (r *Router) MatchingSystemView(ctx context.Context, path string) logical.SystemView

MatchingSystemView returns the SystemView used for a path

func (*Router) Mount

func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, storageView *BarrierView) error

Mount is used to expose a logical backend at a given prefix, using a unique salt, and the barrier view for that path.

func (*Router) MountConflict added in v0.9.0

func (r *Router) MountConflict(ctx context.Context, path string) string

MountConflict determines if there are potential path conflicts

func (*Router) Remount

func (r *Router) Remount(ctx context.Context, src, dst string) error

Remount is used to change the mount location of a logical backend

func (*Router) RootPath

func (r *Router) RootPath(ctx context.Context, path string) bool

RootPath checks if the given path requires root privileges

func (*Router) Route

func (r *Router) Route(ctx context.Context, req *logical.Request) (*logical.Response, error)

Route is used to route a given request

func (*Router) RouteExistenceCheck added in v0.5.0

func (r *Router) RouteExistenceCheck(ctx context.Context, req *logical.Request) (*logical.Response, bool, bool, error)

RouteExistenceCheck is used to route a given existence check request

func (*Router) Taint

func (r *Router) Taint(ctx context.Context, path string) error

Taint is used to mark a path as tainted. This means only RollbackOperation RevokeOperation requests are allowed to proceed

func (*Router) Unmount

func (r *Router) Unmount(ctx context.Context, prefix string) error

Unmount is used to remove a logical backend from a given prefix

func (*Router) Untaint

func (r *Router) Untaint(ctx context.Context, path string) error

Untaint is used to unmark a path as tainted.

func (*Router) ValidateMountByAccessor added in v1.9.0

func (r *Router) ValidateMountByAccessor(accessor string) *ValidateMountResponse

ValidateMountByAccessor returns the mount type and ID for a given mount accessor

type RouterAccess added in v0.9.0

type RouterAccess struct {
	// contains filtered or unexported fields
}

RouterAccess provides access into some things necessary for testing

func NewRouterAccess added in v0.9.0

func NewRouterAccess(c *Core) *RouterAccess

func (*RouterAccess) StoragePrefixByAPIPath added in v0.9.0

func (r *RouterAccess) StoragePrefixByAPIPath(ctx context.Context, path string) (string, bool)

type RouterTestHandlerFunc added in v1.1.4

type RouterTestHandlerFunc func(context.Context, *logical.Request) (*logical.Response, error)

type SSCTokenGenerationCounter added in v1.10.0

type SSCTokenGenerationCounter struct {
	Counter int
}

type Seal added in v0.6.0

type Seal interface {
	SetCore(*Core)
	Init(context.Context) error
	Finalize(context.Context) error
	StoredKeysSupported() seal.StoredKeysSupport
	SealWrapable() bool
	SetStoredKeys(context.Context, [][]byte) error
	GetStoredKeys(context.Context) ([][]byte, error)
	BarrierType() wrapping.WrapperType
	BarrierConfig(context.Context) (*SealConfig, error)
	SetBarrierConfig(context.Context, *SealConfig) error
	SetCachedBarrierConfig(*SealConfig)
	RecoveryKeySupported() bool
	RecoveryType() string
	RecoveryConfig(context.Context) (*SealConfig, error)
	RecoveryKey(context.Context) ([]byte, error)
	SetRecoveryConfig(context.Context, *SealConfig) error
	SetCachedRecoveryConfig(*SealConfig)
	SetRecoveryKey(context.Context, []byte) error
	VerifyRecoveryKey(context.Context, []byte) error
	GetAccess() *seal.Access
}

func NewDefaultSeal added in v0.9.5

func NewDefaultSeal(lowLevel *seal.Access) Seal

func NewTestSeal added in v0.9.0

func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal

type SealAccess added in v0.6.0

type SealAccess struct {
	// contains filtered or unexported fields
}

SealAccess is a wrapper around Seal that exposes accessor methods through Core.SealAccess() while restricting the ability to modify Core.seal itself.

func NewSealAccess added in v0.9.0

func NewSealAccess(seal Seal) *SealAccess

func (*SealAccess) BarrierConfig added in v0.6.0

func (s *SealAccess) BarrierConfig(ctx context.Context) (*SealConfig, error)

func (*SealAccess) BarrierType added in v0.11.2

func (s *SealAccess) BarrierType() wrapping.WrapperType

func (*SealAccess) ClearCaches added in v0.9.0

func (s *SealAccess) ClearCaches(ctx context.Context)

func (*SealAccess) GetAccess added in v1.4.0

func (s *SealAccess) GetAccess() *seal.Access

func (*SealAccess) RecoveryConfig added in v0.6.0

func (s *SealAccess) RecoveryConfig(ctx context.Context) (*SealConfig, error)

func (*SealAccess) RecoveryKeySupported added in v0.6.0

func (s *SealAccess) RecoveryKeySupported() bool

func (*SealAccess) StoredKeysSupported added in v0.6.0

func (s *SealAccess) StoredKeysSupported() seal.StoredKeysSupport

func (*SealAccess) VerifyRecoveryKey added in v0.9.0

func (s *SealAccess) VerifyRecoveryKey(ctx context.Context, key []byte) error

type SealConfig

type SealConfig struct {
	// The type, for sanity checking
	Type string `json:"type" mapstructure:"type"`

	// SecretShares is the number of shares the secret is split into. This is
	// the N value of Shamir.
	SecretShares int `json:"secret_shares" mapstructure:"secret_shares"`

	// SecretThreshold is the number of parts required to open the vault. This
	// is the T value of Shamir.
	SecretThreshold int `json:"secret_threshold" mapstructure:"secret_threshold"`

	// PGPKeys is the array of public PGP keys used, if requested, to encrypt
	// the output unseal tokens. If provided, it sets the value of
	// SecretShares. Ordering is important.
	PGPKeys []string `json:"pgp_keys" mapstructure:"pgp_keys"`

	// Nonce is a nonce generated by Vault used to ensure that when unseal keys
	// are submitted for a rekey operation, the rekey operation itself is the
	// one intended. This prevents hijacking of the rekey operation, since it
	// is unauthenticated.
	Nonce string `json:"nonce" mapstructure:"nonce"`

	// Backup indicates whether or not a backup of PGP-encrypted unseal keys
	// should be stored at coreUnsealKeysBackupPath after successful rekeying.
	Backup bool `json:"backup" mapstructure:"backup"`

	// How many keys to store, for seals that support storage.  Always 0 or 1.
	StoredShares int `json:"stored_shares" mapstructure:"stored_shares"`

	// Stores the progress of the rekey operation (key shares)
	RekeyProgress [][]byte `json:"-"`

	// VerificationRequired indicates that after a rekey validation must be
	// performed (via providing shares from the new key) before the new key is
	// actually installed. This is omitted from JSON as we don't persist the
	// new key, it lives only in memory.
	VerificationRequired bool `json:"-"`

	// VerificationKey is the new key that we will roll to after successful
	// validation
	VerificationKey []byte `json:"-"`

	// VerificationNonce stores the current operation nonce for verification
	VerificationNonce string `json:"-"`

	// Stores the progress of the verification operation (key shares)
	VerificationProgress [][]byte `json:"-"`
}

SealConfig is used to describe the seal configuration

func (*SealConfig) Clone added in v0.6.0

func (s *SealConfig) Clone() *SealConfig

func (*SealConfig) Validate

func (s *SealConfig) Validate() error

Validate is used to sanity check the seal configuration

type SealStatusResponse added in v1.6.2

type SealStatusResponse struct {
	Type              string   `json:"type"`
	Initialized       bool     `json:"initialized"`
	Sealed            bool     `json:"sealed"`
	T                 int      `json:"t"`
	N                 int      `json:"n"`
	Progress          int      `json:"progress"`
	Nonce             string   `json:"nonce"`
	Version           string   `json:"version"`
	BuildDate         string   `json:"build_date"`
	Migration         bool     `json:"migration"`
	ClusterName       string   `json:"cluster_name,omitempty"`
	ClusterID         string   `json:"cluster_id,omitempty"`
	RecoverySeal      bool     `json:"recovery_seal"`
	StorageType       string   `json:"storage_type,omitempty"`
	HCPLinkStatus     string   `json:"hcp_link_status,omitempty"`
	HCPLinkResourceID string   `json:"hcp_link_resource_ID,omitempty"`
	Warnings          []string `json:"warnings,omitempty"`
}

type SecurityBarrier

type SecurityBarrier interface {
	// Initialized checks if the barrier has been initialized
	// and has a root key set.
	Initialized(ctx context.Context) (bool, error)

	// Initialize works only if the barrier has not been initialized
	// and makes use of the given root key.  When sealKey is provided
	// it's because we're using a new-style Shamir seal, and rootKey
	// is to be stored using sealKey to encrypt it.
	Initialize(ctx context.Context, rootKey []byte, sealKey []byte, random io.Reader) error

	// GenerateKey is used to generate a new key
	GenerateKey(io.Reader) ([]byte, error)

	// KeyLength is used to sanity check a key
	KeyLength() (int, int)

	// Sealed checks if the barrier has been unlocked yet. The Barrier
	// is not expected to be able to perform any CRUD until it is unsealed.
	Sealed() (bool, error)

	// Unseal is used to provide the unseal key which permits the barrier
	// to be unsealed. If the key is not correct, the barrier remains sealed.
	Unseal(ctx context.Context, key []byte) error

	// VerifyRoot is used to check if the given key matches the root key
	VerifyRoot(key []byte) error

	// SetRootKey is used to directly set a new root key. This is used in
	// replicated scenarios due to the chicken and egg problem of reloading the
	// keyring from disk before we have the root key to decrypt it.
	SetRootKey(key []byte) error

	// ReloadKeyring is used to re-read the underlying keyring.
	// This is used for HA deployments to ensure the latest keyring
	// is present in the leader.
	ReloadKeyring(ctx context.Context) error

	// ReloadRootKey is used to re-read the underlying root key.
	// This is used for HA deployments to ensure the latest root key
	// is available for keyring reloading.
	ReloadRootKey(ctx context.Context) error

	// Seal is used to re-seal the barrier. This requires the barrier to
	// be unsealed again to perform any further operations.
	Seal() error

	// Rotate is used to create a new encryption key. All future writes
	// should use the new key, while old values should still be decryptable.
	Rotate(ctx context.Context, reader io.Reader) (uint32, error)

	// CreateUpgrade creates an upgrade path key to the given term from the previous term
	CreateUpgrade(ctx context.Context, term uint32) error

	// DestroyUpgrade destroys the upgrade path key to the given term
	DestroyUpgrade(ctx context.Context, term uint32) error

	// CheckUpgrade looks for an upgrade to the current term and installs it
	CheckUpgrade(ctx context.Context) (bool, uint32, error)

	// ActiveKeyInfo is used to inform details about the active key
	ActiveKeyInfo() (*KeyInfo, error)

	// RotationConfig returns the auto-rotation config for the barrier key
	RotationConfig() (KeyRotationConfig, error)

	// SetRotationConfig updates the auto-rotation config for the barrier key
	SetRotationConfig(ctx context.Context, config KeyRotationConfig) error

	// Rekey is used to change the master key used to protect the keyring
	Rekey(context.Context, []byte) error

	// For replication we must send over the keyring, so this must be available
	Keyring() (*Keyring, error)

	// For encryption count shipping, a function which handles updating local encryption counts if the consumer succeeds.
	// This isolates the barrier code from the replication system
	ConsumeEncryptionCount(consumer func(int64) error) error

	// Add encryption counts from a remote source (downstream cluster node)
	AddRemoteEncryptions(encryptions int64)

	// Check whether an automatic rotation is due
	CheckBarrierAutoRotate(ctx context.Context) (string, error)

	// SecurityBarrier must provide the storage APIs
	logical.Storage

	// SecurityBarrier must provide the encryption APIs
	BarrierEncryptor
}

SecurityBarrier is a critical component of Vault. It is used to wrap an untrusted physical backend and provide a single point of encryption, decryption and checksum verification. The goal is to ensure that any data written to the barrier is confidential and that integrity is preserved. As a real-world analogy, this is the steel and concrete wrapper around a Vault. The barrier should only be Unlockable given its key.

type SegmentReader added in v1.11.10

type SegmentReader interface {
	ReadToken(ctx context.Context) (*activity.TokenCount, error)
	ReadEntity(ctx context.Context) (*activity.EntityActivityLog, error)
}

SegmentReader is an interface that provides methods to read tokens and entities in order

type SentinelResults added in v1.11.0

type SentinelResults struct {
	GrantingPolicies []logical.PolicyInfo
}

type SystemBackend

type SystemBackend struct {
	*framework.Backend
	Core *Core
	// contains filtered or unexported fields
}

SystemBackend implements logical.Backend and is used to interact with the core of the system. This backend is hardcoded to exist at the "sys" prefix. Conceptually it is similar to procfs on Linux.

func NewSystemBackend

func NewSystemBackend(core *Core, logger log.Logger) *SystemBackend

type TOTPPersister added in v1.9.0

type TOTPPersister interface {
	PersistTOTPKey(ctx context.Context, configID string, entityID string, key string) error
}

type TestCluster added in v0.6.1

type TestCluster struct {
	BarrierKeys        [][]byte
	RecoveryKeys       [][]byte
	CACert             *x509.Certificate
	CACertBytes        []byte
	CACertPEM          []byte
	CACertPEMFile      string
	CAKey              *ecdsa.PrivateKey
	CAKeyPEM           []byte
	Cores              []*TestClusterCore
	ID                 string
	Plugins            []pluginhelpers.TestPlugin
	RootToken          string
	RootCAs            *x509.CertPool
	TempDir            string
	ClientAuthRequired bool
	Logger             log.Logger
	CleanupFunc        func()
	SetupFunc          func()

	LicensePublicKey  ed25519.PublicKey
	LicensePrivateKey ed25519.PrivateKey
	// contains filtered or unexported fields
}

func NewTestCluster added in v0.8.0

func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *TestCluster

NewTestCluster creates a new test cluster based on the provided core config and test cluster options.

N.B. Even though a single base CoreConfig is provided, NewTestCluster will instantiate a core config for each core it creates. If separate seal per core is desired, opts.SealFunc can be provided to generate a seal for each one. Otherwise, the provided base.Seal will be shared among cores. NewCore's default behavior is to generate a new DefaultSeal if the provided Seal in coreConfig (i.e. base.Seal) is nil.

If opts.Logger is provided, it takes precedence and will be used as the cluster logger and will be the basis for each core's logger. If no opts.Logger is given, one will be generated based on t.Name() for the cluster logger, and if no base.Logger is given will also be used as the basis for each core's logger.

func (*TestCluster) AttemptUnsealCore added in v1.8.0

func (c *TestCluster) AttemptUnsealCore(core *TestClusterCore) error

func (*TestCluster) Cleanup added in v0.8.0

func (c *TestCluster) Cleanup()

func (*TestCluster) ClusterID added in v1.13.6

func (c *TestCluster) ClusterID() string

func (*TestCluster) EnsureCoresSealed added in v0.8.2

func (c *TestCluster) EnsureCoresSealed(t testing.T)

func (*TestCluster) GetBarrierKeys added in v1.13.6

func (c *TestCluster) GetBarrierKeys() [][]byte

func (*TestCluster) GetBarrierOrRecoveryKeys added in v1.13.6

func (c *TestCluster) GetBarrierOrRecoveryKeys() [][]byte

func (*TestCluster) GetCACertPEMFile added in v1.13.6

func (c *TestCluster) GetCACertPEMFile() string

func (*TestCluster) GetRecoveryKeys added in v1.13.6

func (c *TestCluster) GetRecoveryKeys() [][]byte

func (*TestCluster) GetRootToken added in v1.13.6

func (c *TestCluster) GetRootToken() string

func (*TestCluster) InitCores added in v1.13.6

func (tc *TestCluster) InitCores(t testing.T, opts *TestClusterOptions, addAuditBackend bool)

func (*TestCluster) NamedLogger added in v1.13.6

func (c *TestCluster) NamedLogger(name string) log.Logger

func (*TestCluster) Nodes added in v1.13.6

func (*TestCluster) SetBarrierKeys added in v1.13.6

func (c *TestCluster) SetBarrierKeys(keys [][]byte)

func (*TestCluster) SetRecoveryKeys added in v1.13.6

func (c *TestCluster) SetRecoveryKeys(keys [][]byte)

func (*TestCluster) SetRootToken added in v1.13.6

func (c *TestCluster) SetRootToken(token string)

func (*TestCluster) Start added in v0.8.0

func (c *TestCluster) Start()

func (*TestCluster) StartCore added in v1.5.0

func (cluster *TestCluster) StartCore(t testing.T, idx int, opts *TestClusterOptions)

StartCore restarts a TestClusterCore that was stopped, by replacing the underlying Core.

func (*TestCluster) StopCore added in v1.5.0

func (cluster *TestCluster) StopCore(t testing.T, idx int)

StopCore performs an orderly shutdown of a core.

func (*TestCluster) UnsealCore added in v1.2.0

func (c *TestCluster) UnsealCore(t testing.T, core *TestClusterCore)

func (*TestCluster) UnsealCoreWithStoredKeys added in v1.5.0

func (c *TestCluster) UnsealCoreWithStoredKeys(t testing.T, core *TestClusterCore)

func (*TestCluster) UnsealCores added in v0.10.0

func (c *TestCluster) UnsealCores(t testing.T)

UnsealCores uses the cluster barrier keys to unseal the test cluster cores

func (*TestCluster) UnsealCoresWithError added in v0.10.2

func (c *TestCluster) UnsealCoresWithError(useStoredKeys bool) error

type TestClusterCore added in v0.6.1

type TestClusterCore struct {
	*Core
	CoreConfig      *CoreConfig
	Client          *api.Client
	Handler         http.Handler
	Address         *net.TCPAddr
	Listeners       []*TestListener
	ReloadFuncs     *map[string][]reloadutil.ReloadFunc
	ReloadFuncsLock *sync.RWMutex
	Server          *http.Server
	ServerCert      *x509.Certificate
	ServerCertBytes []byte
	ServerCertPEM   []byte
	ServerKey       *ecdsa.PrivateKey
	ServerKeyPEM    []byte

	UnderlyingStorage    physical.Backend
	UnderlyingRawStorage physical.Backend
	UnderlyingHAStorage  physical.HABackend
	Barrier              SecurityBarrier
	NodeID               string
	// contains filtered or unexported fields
}

func (*TestClusterCore) APIClient added in v1.13.6

func (c *TestClusterCore) APIClient() *api.Client

func (*TestClusterCore) ClusterListener added in v1.13.3

func (c *TestClusterCore) ClusterListener() *cluster.Listener

func (*TestClusterCore) GrabRollbackLock added in v1.13.0

func (c *TestClusterCore) GrabRollbackLock()

func (*TestClusterCore) LogicalStorage added in v1.13.3

func (c *TestClusterCore) LogicalStorage() logical.Storage

func (*TestClusterCore) Name added in v1.13.6

func (c *TestClusterCore) Name() string

func (*TestClusterCore) ReleaseRollbackLock added in v1.13.0

func (c *TestClusterCore) ReleaseRollbackLock()

func (*TestClusterCore) Seal added in v1.0.3

func (c *TestClusterCore) Seal(t testing.T)

func (*TestClusterCore) StopAutomaticRollbacks added in v1.13.2

func (c *TestClusterCore) StopAutomaticRollbacks()

func (*TestClusterCore) TLSConfig added in v0.6.1

func (c *TestClusterCore) TLSConfig() *tls.Config

func (*TestClusterCore) TriggerRollbacks added in v1.13.0

func (c *TestClusterCore) TriggerRollbacks()

type TestClusterOptions added in v0.8.0

type TestClusterOptions struct {
	KeepStandbysSealed       bool
	SkipInit                 bool
	HandlerFunc              HandlerHandler
	DefaultHandlerProperties HandlerProperties

	// BaseListenAddress is used to explicitly assign ports in sequence to the
	// listener of each core.  It should be a string of the form
	// "127.0.0.1:20000"
	//
	// WARNING: Using an explicitly assigned port above 30000 may clash with
	// ephemeral ports that have been assigned by the OS in other tests.  The
	// use of explicitly assigned ports below 30000 is strongly recommended.
	// In addition, you should be careful to use explicitly assigned ports that
	// do not clash with any other explicitly assigned ports in other tests.
	BaseListenAddress string

	// BaseClusterListenPort is used to explicitly assign ports in sequence to
	// the cluster listener of each core.  If BaseClusterListenPort is
	// specified, then BaseListenAddress must also be specified.  Each cluster
	// listener will use the same host as the one specified in
	// BaseListenAddress.
	//
	// WARNING: Using an explicitly assigned port above 30000 may clash with
	// ephemeral ports that have been assigned by the OS in other tests.  The
	// use of explicitly assigned ports below 30000 is strongly recommended.
	// In addition, you should be careful to use explicitly assigned ports that
	// do not clash with any other explicitly assigned ports in other tests.
	BaseClusterListenPort int

	NumCores       int
	SealFunc       func() Seal
	UnwrapSealFunc func() Seal
	Logger         log.Logger
	TempDir        string
	CACert         []byte
	CAKey          *ecdsa.PrivateKey
	// PhysicalFactory is used to create backends.
	// The int argument is the index of the core within the cluster, i.e. first
	// core in cluster will have 0, second 1, etc.
	// If the backend is shared across the cluster (i.e. is not Raft) then it
	// should return nil when coreIdx != 0.
	PhysicalFactory func(t testing.T, coreIdx int, logger log.Logger, conf map[string]interface{}) *PhysicalBackendBundle
	// FirstCoreNumber is used to assign a unique number to each core within
	// a multi-cluster setup.
	FirstCoreNumber   int
	RequireClientAuth bool
	// SetupFunc is called after the cluster is started.
	SetupFunc      func(t testing.T, c *TestCluster)
	PR1103Disabled bool

	// ClusterLayers are used to override the default cluster connection layer
	ClusterLayers cluster.NetworkLayerSet
	// InmemClusterLayers is a shorthand way of asking for ClusterLayers to be
	// built using the inmem implementation.
	InmemClusterLayers bool

	// RaftAddressProvider is used to set the raft ServerAddressProvider on
	// each core.
	//
	// If SkipInit is true, then RaftAddressProvider has no effect.
	// RaftAddressProvider should only be specified if the underlying physical
	// storage is Raft.
	RaftAddressProvider raftlib.ServerAddressProvider

	CoreMetricSinkProvider func(clusterName string) (*metricsutil.ClusterMetricSink, *metricsutil.MetricsHelper)

	PhysicalFactoryConfig map[string]interface{}
	LicensePublicKey      ed25519.PublicKey
	LicensePrivateKey     ed25519.PrivateKey

	// this stores the vault version that should be used for each core config
	VersionMap             map[int]string
	RedundancyZoneMap      map[int]string
	KVVersion              string
	EffectiveSDKVersionMap map[int]string

	NoDefaultQuotas bool

	Plugins *TestPluginConfig

	// ABCDLoggerNames names the loggers according to our ABCD convention when generating 4 clusters
	ABCDLoggerNames bool
}

type TestListener added in v0.6.1

type TestListener struct {
	net.Listener
	Address *net.TCPAddr
}

type TestPluginConfig added in v1.13.0

type TestPluginConfig struct {
	Typ      consts.PluginType
	Versions []string
}

type TokenCounter added in v1.3.0

type TokenCounter struct {
	// Total is the total number of tokens
	Total int `json:"total"`
}

TokenCounter counts the number of tokens

type TokenStore

type TokenStore struct {
	*framework.Backend
	// contains filtered or unexported fields
}

TokenStore is used to manage client tokens. Tokens are used for clients to authenticate, and each token is mapped to an applicable set of policy which is used for authorization.

func NewTokenStore

func NewTokenStore(ctx context.Context, logger log.Logger, core *Core, config *logical.BackendConfig) (*TokenStore, error)

NewTokenStore is used to construct a token store that is backed by the given barrier view.

func (*TokenStore) CalculateSignedTokenHMAC added in v1.10.0

func (ts *TokenStore) CalculateSignedTokenHMAC(marshalledToken []byte) ([]byte, error)

func (*TokenStore) GenerateSSCTokenID added in v1.10.0

func (ts *TokenStore) GenerateSSCTokenID(innerToken string, walState *logical.WALState, te *logical.TokenEntry) string

GenerateSSCTokenID generates the ID field of the TokenEntry struct for newly minted service tokens. This function is meant to be robust so as to allow vault to continue operating even in the case where IDs can't be generated. Thus it logs errors as opposed to throwing them.

func (*TokenStore) GetSSCTokensGenerationCounter added in v1.10.0

func (ts *TokenStore) GetSSCTokensGenerationCounter() int

func (*TokenStore) Invalidate added in v0.8.0

func (ts *TokenStore) Invalidate(ctx context.Context, key string)

func (*TokenStore) Lookup

func (ts *TokenStore) Lookup(ctx context.Context, id string) (*logical.TokenEntry, error)

Lookup is used to find a token given its ID. It acquires a read lock, then calls lookupInternal.

func (*TokenStore) Salt added in v0.8.0

func (ts *TokenStore) Salt(ctx context.Context) (*salt.Salt, error)

func (*TokenStore) SaltID

func (ts *TokenStore) SaltID(ctx context.Context, id string) (string, error)

SaltID is used to apply a salt and hash to an ID to make sure its not reversible

func (*TokenStore) SetExpirationManager

func (ts *TokenStore) SetExpirationManager(exp *ExpirationManager)

SetExpirationManager is used to provide the token store with an expiration manager. This is used to manage prefix based revocation of tokens and to tidy entries when removed from the token store.

func (*TokenStore) UpdateSSCTokensGenerationCounter added in v1.10.0

func (ts *TokenStore) UpdateSSCTokensGenerationCounter(ctx context.Context) error

func (*TokenStore) UseToken

func (ts *TokenStore) UseToken(ctx context.Context, te *logical.TokenEntry) (*logical.TokenEntry, error)

UseToken is used to manage restricted use tokens and decrement their available uses. Returns two values: a potentially updated entry or, if the token has been revoked, nil; and whether an error was encountered. The locking here isn't perfect, as other parts of the code may update an entry, but usually none after the entry is already created...so this is pretty good.

func (*TokenStore) UseTokenByID added in v0.6.2

func (ts *TokenStore) UseTokenByID(ctx context.Context, id string) (*logical.TokenEntry, error)

type TokenStorer added in v1.9.0

type TokenStorer interface {
	LookupToken(context.Context, string) (*logical.TokenEntry, error)
	CreateToken(context.Context, *logical.TokenEntry) error
}

type UIConfig added in v0.10.0

type UIConfig struct {
	// contains filtered or unexported fields
}

UIConfig contains UI configuration. This takes both a physical view and a barrier view because it is stored in both plaintext and encrypted to allow for getting the header values before the barrier is unsealed

func NewUIConfig added in v0.10.0

func NewUIConfig(enabled bool, physicalStorage physical.Backend, barrierStorage logical.Storage) *UIConfig

NewUIConfig creates a new UI config

func (*UIConfig) DeleteHeader added in v0.10.0

func (c *UIConfig) DeleteHeader(ctx context.Context, header string) error

DeleteHeader deletes the header configuration for the given header

func (*UIConfig) Enabled added in v0.10.0

func (c *UIConfig) Enabled() bool

Enabled returns if the UI is enabled

func (*UIConfig) GetHeader added in v0.10.0

func (c *UIConfig) GetHeader(ctx context.Context, header string) ([]string, error)

GetHeader retrieves the configured values for the given header

func (*UIConfig) HeaderKeys added in v0.10.0

func (c *UIConfig) HeaderKeys(ctx context.Context) ([]string, error)

HeaderKeys returns the list of the configured headers

func (*UIConfig) Headers added in v0.10.0

func (c *UIConfig) Headers(ctx context.Context) (http.Header, error)

Headers returns the response headers that should be returned in the UI

func (*UIConfig) SetHeader added in v0.10.0

func (c *UIConfig) SetHeader(ctx context.Context, header string, values []string) error

SetHeader sets the values for the given header

type UnimplementedRequestForwardingServer added in v1.2.0

type UnimplementedRequestForwardingServer struct {
}

UnimplementedRequestForwardingServer must be embedded to have forward compatible implementations.

func (UnimplementedRequestForwardingServer) Echo added in v1.2.0

func (UnimplementedRequestForwardingServer) ForwardRequest added in v1.2.0

func (UnimplementedRequestForwardingServer) PerformanceStandbyElectionRequest added in v1.2.0

type UnsafeRequestForwardingServer added in v1.9.0

type UnsafeRequestForwardingServer interface {
	// contains filtered or unexported methods
}

UnsafeRequestForwardingServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to RequestForwardingServer will result in compilation errors.

type UnsealStrategy added in v0.11.2

type UnsealStrategy interface {
	// contains filtered or unexported methods
}

type UserLockoutConfig added in v1.13.0

type UserLockoutConfig struct {
	LockoutThreshold    uint64        `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
	LockoutDuration     time.Duration `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
	LockoutCounterReset time.Duration `json:"lockout_counter_reset,omitempty" structs:"lockout_counter_reset" mapstructure:"lockout_counter_reset"`
	DisableLockout      bool          `json:"disable_lockout,omitempty" structs:"disable_lockout" mapstructure:"disable_lockout"`
}

type ValidateMountResponse added in v1.9.0

type ValidateMountResponse struct {
	MountType     string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type"`
	MountAccessor string `json:"mount_accessor" structs:"mount_accessor" mapstructure:"mount_accessor"`
	MountPath     string `json:"mount_path" structs:"mount_path" mapstructure:"mount_path"`
	MountLocal    bool   `json:"mount_local" structs:"mount_local" mapstructure:"mount_local"`
}

type VaultVersion added in v1.9.0

type VaultVersion struct {
	TimestampInstalled time.Time
	Version            string
	BuildDate          string
}

Source Files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL