Affected by GO-2023-2063 and 8 other vulnerabilities

GO-2023-2063: HashiCorp Vault Improper Input Validation vulnerability in github.com/hashicorp/vault

GO-2023-2329: HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault

GO-2024-2617: Authentication bypass in github.com/hashicorp/vault

GO-2024-2690: HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault

GO-2024-2921: HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault

GO-2024-2982: Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault

GO-2024-3162: Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault

GO-2024-3191: Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault

GO-2024-3246: Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault

cache

package

v1.14.1 Latest Latest Go to latest Published: Jul 21, 2023 License: MPL-2.0 Imports: 40 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hashicorp/vault

Links

Open Source Insights

Documentation ¶

Index ¶

func NewMockProxier(responses []*SendResponse) *mockProxier
func ProxyHandler(ctx context.Context, logger hclog.Logger, proxier Proxier, inmemSink sink.Sink, ...) http.Handler
type APIProxy
- func (ap *APIProxy) Send(ctx context.Context, req *SendRequest) (*SendResponse, error)
type APIProxyConfig
type CacheMeta
type EnforceConsistency
type LeaseCache
- func NewLeaseCache(conf *LeaseCacheConfig) (*LeaseCache, error)
type LeaseCacheConfig
type ListenerBundle
- func StartListener(lnConfig *configutil.Listener) (*ListenerBundle, error)
type Proxier
- func NewAPIProxy(config *APIProxyConfig) (Proxier, error)
type SendRequest
type SendResponse
- func NewSendResponse(apiResponse *api.Response, responseBody []byte) (*SendResponse, error)
type WhenInconsistentAction

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewMockProxier ¶

func NewMockProxier(responses []*SendResponse) *mockProxier

func ProxyHandler ¶

func ProxyHandler(ctx context.Context, logger hclog.Logger, proxier Proxier, inmemSink sink.Sink, proxyVaultToken bool) http.Handler

Types ¶

type APIProxy ¶

type APIProxy struct {
	// contains filtered or unexported fields
}

APIProxy is an implementation of the proxier interface that is used to forward the request to Vault and get the response.

func (*APIProxy) Send ¶

func (ap *APIProxy) Send(ctx context.Context, req *SendRequest) (*SendResponse, error)

type APIProxyConfig ¶

type APIProxyConfig struct {
	Client                 *api.Client
	Logger                 hclog.Logger
	EnforceConsistency     EnforceConsistency
	WhenInconsistentAction WhenInconsistentAction
	// UserAgentString is used as the User Agent when the proxied client
	// does not have a user agent of its own.
	UserAgentString string
	// UserAgentStringFunction is the function to transform the proxied client's
	// user agent into one that includes Vault-specific information.
	UserAgentStringFunction func(string) string
}

type CacheMeta ¶

type CacheMeta struct {
	Hit bool
	Age time.Duration
}

CacheMeta contains metadata information about the response, such as whether it was a cache hit or miss, and the age of the cached entry.

type EnforceConsistency ¶

type EnforceConsistency int

const (
	EnforceConsistencyNever EnforceConsistency = iota
	EnforceConsistencyAlways
)

type LeaseCache ¶

type LeaseCache struct {
	// contains filtered or unexported fields
}

LeaseCache is an implementation of Proxier that handles the caching of responses. It passes the incoming request to an underlying Proxier implementation.

func NewLeaseCache ¶

func NewLeaseCache(conf *LeaseCacheConfig) (*LeaseCache, error)

NewLeaseCache creates a new instance of a LeaseCache.

func (*LeaseCache) Evict ¶

func (c *LeaseCache) Evict(index *cachememdb.Index) error

Evict removes an Index from the cachememdb, and also removes it from the persistent cache (if enabled)

func (*LeaseCache) Flush ¶

func (c *LeaseCache) Flush() error

Flush the cachememdb and persistent cache (if enabled)

func (*LeaseCache) HandleCacheClear ¶

func (c *LeaseCache) HandleCacheClear(ctx context.Context) http.Handler

HandleCacheClear returns a handlerFunc that can perform cache clearing operations.

func (*LeaseCache) PersistentStorage ¶

func (c *LeaseCache) PersistentStorage() *cacheboltdb.BoltStorage

PersistentStorage is a getter for the persistent storage field in LeaseCache

func (*LeaseCache) RegisterAutoAuthToken ¶

func (c *LeaseCache) RegisterAutoAuthToken(token string) error

RegisterAutoAuthToken adds the provided auto-token into the cache. This is primarily used to register the auto-auth token and should only be called within a sink's WriteToken func.

func (*LeaseCache) Restore ¶

func (c *LeaseCache) Restore(ctx context.Context, storage *cacheboltdb.BoltStorage) error

Restore loads the cachememdb from the persistent storage passed in. Loads tokens first, since restoring a lease's renewal context and watcher requires looking up the token in the cachememdb.

func (*LeaseCache) Send ¶

func (c *LeaseCache) Send(ctx context.Context, req *SendRequest) (*SendResponse, error)

Send performs a cache lookup on the incoming request. If it's a cache hit, it will return the cached response, otherwise it will delegate to the underlying Proxier and cache the received response.

func (*LeaseCache) Set ¶

func (c *LeaseCache) Set(ctx context.Context, index *cachememdb.Index) error

Set stores the index in the cachememdb, and also stores it in the persistent cache (if enabled)

func (*LeaseCache) SetPersistentStorage ¶

func (c *LeaseCache) SetPersistentStorage(storageIn *cacheboltdb.BoltStorage)

SetPersistentStorage is a setter for the persistent storage field in LeaseCache

func (*LeaseCache) SetShuttingDown ¶

func (c *LeaseCache) SetShuttingDown(in bool)

SetShuttingDown is a setter for the shuttingDown field

type LeaseCacheConfig ¶

type LeaseCacheConfig struct {
	Client      *api.Client
	BaseContext context.Context
	Proxier     Proxier
	Logger      hclog.Logger
	Storage     *cacheboltdb.BoltStorage
}

LeaseCacheConfig is the configuration for initializing a new Lease.

type ListenerBundle ¶

type ListenerBundle struct {
	Listener      net.Listener
	TLSConfig     *tls.Config
	TLSReloadFunc reloadutil.ReloadFunc
}

func StartListener ¶

func StartListener(lnConfig *configutil.Listener) (*ListenerBundle, error)

type Proxier ¶

type Proxier interface {
	Send(ctx context.Context, req *SendRequest) (*SendResponse, error)
}

Proxier is the interface implemented by different components that are responsible for performing specific tasks, such as caching and proxying. All these tasks combined together would serve the request received by the agent.

func NewAPIProxy ¶

func NewAPIProxy(config *APIProxyConfig) (Proxier, error)

type SendRequest ¶

type SendRequest struct {
	Token   string
	Request *http.Request

	// RequestBody is the stored body bytes from Request.Body. It is set here to
	// avoid reading and re-setting the stream multiple times.
	RequestBody []byte
}

SendRequest is the input for Proxier.Send.

type SendResponse ¶

type SendResponse struct {
	Response *api.Response

	// ResponseBody is the stored body bytes from Response.Body. It is set here to
	// avoid reading and re-setting the stream multiple times.
	ResponseBody []byte
	CacheMeta    *CacheMeta
}

SendResponse is the output from Proxier.Send.

func NewSendResponse ¶

func NewSendResponse(apiResponse *api.Response, responseBody []byte) (*SendResponse, error)

NewSendResponse creates a new SendResponse and takes care of initializing its fields properly.

type WhenInconsistentAction ¶

type WhenInconsistentAction int

const (
	WhenInconsistentFail WhenInconsistentAction = iota
	WhenInconsistentRetry
	WhenInconsistentForward
)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cacheboltdb
cachememdb
keymanager

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL