Documentation ¶
Index ¶
- func HashAuth(salter *salt.Salt, in *logical.Auth, HMACAccessor bool) (*logical.Auth, error)
- func HashRequest(salter *salt.Salt, in *logical.Request, HMACAccessor bool, ...) (*logical.Request, error)
- func HashResponse(salter *salt.Salt, in *logical.Response, HMACAccessor bool, ...) (*logical.Response, error)
- func HashString(salter *salt.Salt, data string) string
- func HashStructure(s interface{}, cb HashCallback, ignoredKeys []string) error
- func HashWrapInfo(salter *salt.Salt, in *wrapping.ResponseWrapInfo, HMACAccessor bool) (*wrapping.ResponseWrapInfo, error)
- type AuditAuth
- type AuditFormatWriter
- type AuditFormatter
- type AuditNamespace
- type AuditPolicyResults
- type AuditRequest
- type AuditRequestEntry
- type AuditResponse
- type AuditResponseEntry
- type AuditResponseWrapInfo
- type AuditSecret
- type Backend
- type BackendConfig
- type Factory
- type Formatter
- type FormatterConfig
- type HashCallback
- type JSONFormatWriter
- type JSONxFormatWriter
- type PolicyInfo
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func HashRequest ¶ added in v1.2.0
func HashRequest(salter *salt.Salt, in *logical.Request, HMACAccessor bool, nonHMACDataKeys []string) (*logical.Request, error)
HashRequest returns a hashed copy of the logical.Request input.
func HashResponse ¶ added in v1.2.0
func HashResponse( salter *salt.Salt, in *logical.Response, HMACAccessor bool, nonHMACDataKeys []string, elideListResponseData bool, ) (*logical.Response, error)
HashResponse returns a hashed copy of the logical.Request input.
func HashString ¶ added in v0.4.0
HashString hashes the given opaque string and returns it
func HashStructure ¶
func HashStructure(s interface{}, cb HashCallback, ignoredKeys []string) error
HashStructure takes an interface and hashes all the values within the structure. Only _values_ are hashed: keys of objects are not.
For the HashCallback, see the built-in HashCallbacks below.
func HashWrapInfo ¶ added in v1.2.0
func HashWrapInfo(salter *salt.Salt, in *wrapping.ResponseWrapInfo, HMACAccessor bool) (*wrapping.ResponseWrapInfo, error)
HashWrapInfo returns a hashed copy of the wrapping.ResponseWrapInfo input.
Types ¶
type AuditAuth ¶ added in v0.6.2
type AuditAuth struct { ClientToken string `json:"client_token,omitempty"` Accessor string `json:"accessor,omitempty"` DisplayName string `json:"display_name,omitempty"` Policies []string `json:"policies,omitempty"` TokenPolicies []string `json:"token_policies,omitempty"` IdentityPolicies []string `json:"identity_policies,omitempty"` ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies,omitempty"` NoDefaultPolicy bool `json:"no_default_policy,omitempty"` PolicyResults *AuditPolicyResults `json:"policy_results,omitempty"` Metadata map[string]string `json:"metadata,omitempty"` NumUses int `json:"num_uses,omitempty"` RemainingUses int `json:"remaining_uses,omitempty"` EntityID string `json:"entity_id,omitempty"` EntityCreated bool `json:"entity_created,omitempty"` TokenType string `json:"token_type,omitempty"` TokenTTL int64 `json:"token_ttl,omitempty"` TokenIssueTime string `json:"token_issue_time,omitempty"` }
type AuditFormatWriter ¶ added in v0.6.2
type AuditFormatWriter interface { // WriteRequest writes the request entry to the writer or returns an error. WriteRequest(io.Writer, *AuditRequestEntry) error // WriteResponse writes the response entry to the writer or returns an error. WriteResponse(io.Writer, *AuditResponseEntry) error // Salt returns a non-nil salt or an error. Salt(context.Context) (*salt.Salt, error) }
type AuditFormatter ¶ added in v0.6.2
type AuditFormatter struct {
AuditFormatWriter
}
AuditFormatter implements the Formatter interface, and allows the underlying marshaller to be swapped out
func NewTemporaryFormatter ¶ added in v1.7.0
func NewTemporaryFormatter(format, prefix string) *AuditFormatter
NewTemporaryFormatter creates a formatter not backed by a persistent salt
func (*AuditFormatter) FormatRequest ¶ added in v0.6.2
func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config FormatterConfig, in *logical.LogInput) error
func (*AuditFormatter) FormatResponse ¶ added in v0.6.2
func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config FormatterConfig, in *logical.LogInput) error
type AuditNamespace ¶ added in v0.11.2
type AuditPolicyResults ¶ added in v1.11.0
type AuditPolicyResults struct { Allowed bool `json:"allowed"` GrantingPolicies []PolicyInfo `json:"granting_policies,omitempty"` }
type AuditRequest ¶ added in v0.6.2
type AuditRequest struct { ID string `json:"id,omitempty"` ClientID string `json:"client_id,omitempty"` ReplicationCluster string `json:"replication_cluster,omitempty"` Operation logical.Operation `json:"operation,omitempty"` MountPoint string `json:"mount_point,omitempty"` MountType string `json:"mount_type,omitempty"` MountAccessor string `json:"mount_accessor,omitempty"` ClientToken string `json:"client_token,omitempty"` ClientTokenAccessor string `json:"client_token_accessor,omitempty"` Namespace *AuditNamespace `json:"namespace,omitempty"` Path string `json:"path,omitempty"` Data map[string]interface{} `json:"data,omitempty"` PolicyOverride bool `json:"policy_override,omitempty"` RemoteAddr string `json:"remote_address,omitempty"` RemotePort int `json:"remote_port,omitempty"` WrapTTL int `json:"wrap_ttl,omitempty"` Headers map[string][]string `json:"headers,omitempty"` ClientCertificateSerialNumber string `json:"client_certificate_serial_number,omitempty"` }
type AuditRequestEntry ¶ added in v0.6.2
type AuditRequestEntry struct { Time string `json:"time,omitempty"` Type string `json:"type,omitempty"` Auth *AuditAuth `json:"auth,omitempty"` Request *AuditRequest `json:"request,omitempty"` Error string `json:"error,omitempty"` }
AuditRequestEntry is the structure of a request audit log entry in Audit.
type AuditResponse ¶ added in v0.6.2
type AuditResponse struct { Auth *AuditAuth `json:"auth,omitempty"` MountPoint string `json:"mount_point,omitempty"` MountType string `json:"mount_type,omitempty"` MountAccessor string `json:"mount_accessor,omitempty"` Secret *AuditSecret `json:"secret,omitempty"` Data map[string]interface{} `json:"data,omitempty"` Warnings []string `json:"warnings,omitempty"` Redirect string `json:"redirect,omitempty"` WrapInfo *AuditResponseWrapInfo `json:"wrap_info,omitempty"` Headers map[string][]string `json:"headers,omitempty"` }
type AuditResponseEntry ¶ added in v0.6.2
type AuditResponseEntry struct { Time string `json:"time,omitempty"` Type string `json:"type,omitempty"` Auth *AuditAuth `json:"auth,omitempty"` Request *AuditRequest `json:"request,omitempty"` Response *AuditResponse `json:"response,omitempty"` Error string `json:"error,omitempty"` }
AuditResponseEntry is the structure of a response audit log entry in Audit.
type AuditResponseWrapInfo ¶ added in v0.6.5
type AuditResponseWrapInfo struct { TTL int `json:"ttl,omitempty"` Token string `json:"token,omitempty"` Accessor string `json:"accessor,omitempty"` CreationTime string `json:"creation_time,omitempty"` CreationPath string `json:"creation_path,omitempty"` WrappedAccessor string `json:"wrapped_accessor,omitempty"` }
type AuditSecret ¶ added in v0.6.2
type AuditSecret struct {
LeaseID string `json:"lease_id,omitempty"`
}
type Backend ¶
type Backend interface { // LogRequest is used to synchronously log a request. This is done after the // request is authorized but before the request is executed. The arguments // MUST not be modified in anyway. They should be deep copied if this is // a possibility. LogRequest(context.Context, *logical.LogInput) error // LogResponse is used to synchronously log a response. This is done after // the request is processed but before the response is sent. The arguments // MUST not be modified in anyway. They should be deep copied if this is // a possibility. LogResponse(context.Context, *logical.LogInput) error // LogTestMessage is used to check an audit backend before adding it // permanently. It should attempt to synchronously log the given test // message, WITHOUT using the normal Salt (which would require a storage // operation on creation, which is currently disallowed.) LogTestMessage(context.Context, *logical.LogInput, map[string]string) error // GetHash is used to return the given data with the backend's hash, // so that a caller can determine if a value in the audit log matches // an expected plaintext value GetHash(context.Context, string) (string, error) // Reload is called on SIGHUP for supporting backends. Reload(context.Context) error // Invalidate is called for path invalidation Invalidate(context.Context) }
Backend interface must be implemented for an audit mechanism to be made available. Audit backends can be enabled to sink information to different backends such as logs, file, databases, or other external services.
type BackendConfig ¶ added in v0.3.0
type BackendConfig struct { // The view to store the salt SaltView logical.Storage // The salt config that should be used for any secret obfuscation SaltConfig *salt.Config // Config is the opaque user configuration provided when mounting Config map[string]string }
BackendConfig contains configuration parameters used in the factory func to instantiate audit backends
type Factory ¶
type Factory func(context.Context, *BackendConfig) (Backend, error)
Factory is the factory function to create an audit backend.
type Formatter ¶
type Formatter interface { FormatRequest(context.Context, io.Writer, FormatterConfig, *logical.LogInput) error FormatResponse(context.Context, io.Writer, FormatterConfig, *logical.LogInput) error }
Formatter is an interface that is responsible for formatting a request/response into some format. Formatters write their output to an io.Writer.
It is recommended that you pass data through Hash prior to formatting it.
type FormatterConfig ¶ added in v0.6.2
type FormatterConfig struct { Raw bool HMACAccessor bool // Vault lacks pagination in its APIs. As a result, certain list operations can return **very** large responses. // The user's chosen audit sinks may experience difficulty consuming audit records that swell to tens of megabytes // of JSON. The responses of list operations are typically not very interesting, as they are mostly lists of keys, // or, even when they include a "key_info" field, are not returning confidential information. They become even less // interesting once HMAC-ed by the audit system. // // Some example Vault "list" operations that are prone to becoming very large in an active Vault installation are: // auth/token/accessors/ // identity/entity/id/ // identity/entity-alias/id/ // pki/certs/ // // This option exists to provide such users with the option to have response data elided from audit logs, only when // the operation type is "list". For added safety, the elision only applies to the "keys" and "key_info" fields // within the response data - these are conventionally the only fields present in a list response - see // logical.ListResponse, and logical.ListResponseWithInfo. However, other fields are technically possible if a // plugin author writes unusual code, and these will be preserved in the audit log even with this option enabled. // The elision replaces the values of the "keys" and "key_info" fields with an integer count of the number of // entries. This allows even the elided audit logs to still be useful for answering questions like // "Was any data returned?" or "How many records were listed?". ElideListResponses bool // This should only ever be used in a testing context OmitTime bool }
type HashCallback ¶
HashCallback is the callback called for HashStructure to hash a value.
type JSONFormatWriter ¶ added in v0.6.2
JSONFormatWriter is an AuditFormatWriter implementation that structures data into a JSON format.
func (*JSONFormatWriter) WriteRequest ¶ added in v0.6.2
func (f *JSONFormatWriter) WriteRequest(w io.Writer, req *AuditRequestEntry) error
func (*JSONFormatWriter) WriteResponse ¶ added in v0.6.2
func (f *JSONFormatWriter) WriteResponse(w io.Writer, resp *AuditResponseEntry) error
type JSONxFormatWriter ¶ added in v0.6.2
JSONxFormatWriter is an AuditFormatWriter implementation that structures data into a XML format.
func (*JSONxFormatWriter) WriteRequest ¶ added in v0.6.2
func (f *JSONxFormatWriter) WriteRequest(w io.Writer, req *AuditRequestEntry) error
func (*JSONxFormatWriter) WriteResponse ¶ added in v0.6.2
func (f *JSONxFormatWriter) WriteResponse(w io.Writer, resp *AuditResponseEntry) error