README
¶
Golang Library for HashiCorp vault
This is yet another golang vault client. It uses the official vault go client but adds some requests and responses types and some convenient methods for an improved Developing experience.
Typing every request and response is rather time consuming, only a few vault APIs are implemented at the moment. If there is demand for us to use other APIs, they will be added. We are also always open to Pull Requests :)
Supported APIs
Currently, these APIs are implemented:
Transit(mountPoint)
Authentication
Token-based and Kubernetes Auth are supported as of now.
Token-Based
Initialize a new Vault Client using your token and endpoint:
Kubernetes In-Cluster Example
Usage
Once the Vault Client is created, instanciate new clients for each engine:
Transit Encrypt/Decrypt Example
Run Tests
Tests require a running docker daemon. The test will automatically create a vault container.
> make test
Documentation
¶
Overview ¶
Example (EncryptDecryptType) ¶
const rsa4096 = "rsa-4096"
c, err := NewClient("https://vault:8200/", WithCaPath(""), WithAuthToken("test"))
if err != nil {
log.Fatal(err)
}
fmt.Println(c.Token())
transit := c.Transit()
key := "test123bacd"
err = transit.Create(key, &TransitCreateOptions{
Exportable: BoolPtr(true),
Type: rsa4096,
})
if err != nil {
log.Fatal(err)
}
res, err := transit.Read(key)
if err != nil {
log.Fatal(err)
} else {
log.Printf("%+v\n", res.Data)
}
exportRes, err := transit.Export(key, TransitExportOptions{
KeyType: "encryption-key",
})
if err != nil {
log.Fatal(err)
}
log.Printf("%v+", exportRes.Data.Keys[1])
encryptResponse, err := transit.Encrypt(key, &TransitEncryptOptions{
Plaintext: "plaintext",
})
if err != nil {
log.Fatalf("Error occurred during encryption: %v", err)
}
log.Println("Ciphertext: ", encryptResponse.Data.Ciphertext)
decryptResponse, err := transit.Decrypt(key, &TransitDecryptOptions{
Ciphertext: encryptResponse.Data.Ciphertext,
})
if err != nil {
log.Fatalf("Error occurred during decryption: %v", err)
}
log.Println("Plaintext: ", decryptResponse.Data.Plaintext)
Output:
Example (K8sInCluster) ¶
c, err := NewClient("https://vault:8200/", WithCaPath(""), WithKubernetesAuth("myrole"))
if err != nil {
log.Fatal(err)
}
log.Println(c.Address())
Output:
Example (TokenBased) ¶
c, err := NewClient("https://vault:8200/",
WithCaPath(""),
WithAuthToken("SECRET"),
)
if err != nil {
log.Fatal(err)
}
log.Println(c.Address())
Output:
Index ¶
- Variables
- func BoolPtr(input bool) *bool
- func DecodeCipherText(vaultCipherText string) (string, int, error)
- func EncodeCipherText(cipherText string, keyVersion int) string
- func IntPtr(input int) *int
- func StringPtr(input string) *string
- type AuthProvider
- type AuthResponse
- type Client
- func (c *Client) Delete(path []string, body, response interface{}, opts *RequestOptions) error
- func (c *Client) KVv1() *KVv1
- func (c *Client) KVv1WithMountPoint(mountPoint string) *KVv1
- func (c *Client) List(path []string, body, response interface{}, opts *RequestOptions) error
- func (c *Client) Put(path []string, body, response interface{}, opts *RequestOptions) error
- func (c *Client) Read(path []string, response interface{}, opts *RequestOptions) error
- func (c *Client) Request(method string, path []string, body, response interface{}, opts *RequestOptions) error
- func (c *Client) SSH() *SSH
- func (c *Client) SSHWithMountPoint(mountPoint string) *SSH
- func (c *Client) Transit() *Transit
- func (c *Client) TransitWithMountPoint(mountPoint string) *Transit
- func (c *Client) Write(path []string, body, response interface{}, opts *RequestOptions) error
- type ClientOpts
- type KVv1
- type KVv1ListResponse
- type KVv1ReadResponse
- type KubernetesAuthOpt
- type RequestOptions
- type SSH
- type SSHReadPubKeyResponse
- type SSHSignOptions
- type SSHSignResponse
- type Service
- type TLSConfig
- type Transit
- func (t *Transit) Create(key string, opts *TransitCreateOptions) error
- func (t *Transit) Decrypt(key string, opts *TransitDecryptOptions) (*TransitDecryptResponse, error)
- func (t *Transit) DecryptBatch(key string, opts TransitDecryptOptionsBatch) (*TransitDecryptResponseBatch, error)
- func (t *Transit) Delete(key string) error
- func (t *Transit) Encrypt(key string, opts *TransitEncryptOptions) (*TransitEncryptResponse, error)
- func (t *Transit) EncryptBatch(key string, opts *TransitEncryptOptionsBatch) (*TransitEncryptResponseBatch, error)
- func (t *Transit) Export(key string, opts TransitExportOptions) (*TransitExportResponse, error)
- func (t *Transit) ForceDelete(key string) error
- func (t *Transit) KeyExists(key string) (bool, error)
- func (t *Transit) List() (*TransitListResponse, error)
- func (t *Transit) Read(key string) (*TransitReadResponse, error)
- func (t *Transit) Rotate(key string) error
- func (t *Transit) Sign(key string, opts *TransitSignOptions) (*TransitSignResponse, error)
- func (t *Transit) SignBatch(key string, opts *TransitSignOptionsBatch) (*TransitSignResponseBatch, error)
- func (t *Transit) Update(key string, opts TransitUpdateOptions) error
- func (t *Transit) Verify(key string, opts *TransitVerifyOptions) (*TransitVerifyResponse, error)
- func (t *Transit) VerifyBatch(key string, opts *TransitVerifyOptionsBatch) (*TransitVerifyResponseBatch, error)
- type TransitBatchCiphertext
- type TransitBatchPlaintext
- type TransitBatchSignInput
- type TransitBatchSignature
- type TransitBatchVerifyData
- type TransitBatchVerifyInput
- type TransitCreateOptions
- type TransitDecryptOptions
- type TransitDecryptOptionsBatch
- type TransitDecryptResponse
- type TransitDecryptResponseBatch
- type TransitEncryptOptions
- type TransitEncryptOptionsBatch
- type TransitEncryptResponse
- type TransitEncryptResponseBatch
- type TransitExportOptions
- type TransitExportResponse
- type TransitListResponse
- type TransitReadResponse
- type TransitReadResponseData
- type TransitSignOptions
- type TransitSignOptionsBatch
- type TransitSignResponse
- type TransitSignResponseBatch
- type TransitUpdateOptions
- type TransitVerifyOptions
- type TransitVerifyOptionsBatch
- type TransitVerifyResponse
- type TransitVerifyResponseBatch
- type UserpassAuth
- type UserpassAuthOpt
Examples ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var (
ErrEncKeyNotFound = errors.New("encryption key not found")
)
Functions ¶
func DecodeCipherText ¶ added in v0.1.3
DecodeCipherText gets payload from vault ciphertext format (removes "vault:v<ver>:" prefix)
func EncodeCipherText ¶ added in v0.1.3
EncodeCipherText encodes payload to vault ciphertext format (adda "vault:v<ver>:" prefix)
Types ¶
type AuthProvider ¶
type AuthProvider interface {
Auth() (*AuthResponse, error)
}
func NewKubernetesAuth ¶
func NewKubernetesAuth(c *Client, role string, opts ...KubernetesAuthOpt) (AuthProvider, error)
func NewUserpassAuth ¶ added in v0.1.6
func NewUserpassAuth(c *Client, username string, password string, opts ...UserpassAuthOpt) (AuthProvider, error)
type AuthResponse ¶ added in v0.0.6
type AuthResponse struct {
Auth struct {
ClientToken string `json:"client_token"`
Accessor string `json:"accessor"`
Policies []string `json:"policies"`
LeaseDuration int `json:"lease_duration"`
Renewable bool `json:"renewable"`
Metadata struct {
Role string `json:"role"`
ServiceAccountName string `json:"service_account_name"`
ServiceAccountNamespace string `json:"service_account_namespace"`
ServiceAccountSecretName string `json:"service_account_secret_name"`
ServiceAccountUID string `json:"service_account_uid"`
} `json:"metadata"`
} `json:"auth"`
}
type Client ¶
func NewClient ¶
func NewClient(addr string, tlsConf *TLSConfig, opts ...ClientOpts) (*Client, error)
func (*Client) Delete ¶
func (c *Client) Delete(path []string, body, response interface{}, opts *RequestOptions) error
func (*Client) KVv1WithMountPoint ¶ added in v0.1.5
func (*Client) List ¶
func (c *Client) List(path []string, body, response interface{}, opts *RequestOptions) error
func (*Client) Put ¶ added in v0.1.5
func (c *Client) Put(path []string, body, response interface{}, opts *RequestOptions) error
func (*Client) Read ¶
func (c *Client) Read(path []string, response interface{}, opts *RequestOptions) error
func (*Client) Request ¶
func (c *Client) Request(method string, path []string, body, response interface{}, opts *RequestOptions) error
func (*Client) SSHWithMountPoint ¶ added in v0.1.8
func (*Client) TransitWithMountPoint ¶
type ClientOpts ¶
func WithAuthToken ¶
func WithAuthToken(token string) ClientOpts
func WithKubernetesAuth ¶
func WithKubernetesAuth(role string, opts ...KubernetesAuthOpt) ClientOpts
func WithUserpassAuth ¶ added in v0.1.6
func WithUserpassAuth(username string, password string, opts ...UserpassAuthOpt) ClientOpts
type KVv1ListResponse ¶ added in v0.1.5
type KVv1ListResponse struct {
Data struct {
Keys []string `json:"keys"`
} `json:"data"`
}
type KVv1ReadResponse ¶ added in v0.1.5
type KubernetesAuthOpt ¶
type KubernetesAuthOpt func(k *kubernetesAuth) error
func WithJwt ¶
func WithJwt(jwt string) KubernetesAuthOpt
func WithJwtFromFile ¶
func WithJwtFromFile(path string) KubernetesAuthOpt
func WithMountPoint ¶
func WithMountPoint(mountPoint string) KubernetesAuthOpt
type RequestOptions ¶ added in v0.0.6
type RequestOptions struct {
Parameters url.Values
// SkipRenewal defines if the client should retry this Request with a new Token if it fails because of
// 403 Permission Denied
// The default behavior of the client is to always Request a new Token on 403
// Only if this is explicitly set to true, the client will continue processing the first failed request
// and skip the renewal
// This should generally only be disabled for TokenAuth requests (a failed TokenAuth request can't be fixed by
// doing another TokenAuth request, this would lead to infinite recursion)
SkipRenewal bool
}
type SSH ¶ added in v0.1.8
type SSH struct {
Service
}
func (*SSH) GetVaultPubKey ¶ added in v0.1.9
func (*SSH) Sign ¶ added in v0.1.8
func (k *SSH) Sign(role string, sshopts SSHSignOptions) (*SSHSignResponse, error)
type SSHReadPubKeyResponse ¶ added in v0.1.9
type SSHSignOptions ¶ added in v0.1.8
type SSHSignResponse ¶ added in v0.1.8
type Service ¶ added in v0.0.6
type Service struct {
MountPoint string
// contains filtered or unexported fields
}
type Transit ¶
type Transit struct {
Service
}
func (*Transit) Decrypt ¶
func (t *Transit) Decrypt(key string, opts *TransitDecryptOptions) (*TransitDecryptResponse, error)
func (*Transit) DecryptBatch ¶
func (t *Transit) DecryptBatch(key string, opts TransitDecryptOptionsBatch) (*TransitDecryptResponseBatch, error)
func (*Transit) Encrypt ¶
func (t *Transit) Encrypt(key string, opts *TransitEncryptOptions) (*TransitEncryptResponse, error)
func (*Transit) EncryptBatch ¶
func (t *Transit) EncryptBatch(key string, opts *TransitEncryptOptionsBatch) (*TransitEncryptResponseBatch, error)
func (*Transit) Export ¶
func (t *Transit) Export(key string, opts TransitExportOptions) (*TransitExportResponse, error)
func (*Transit) ForceDelete ¶
func (*Transit) List ¶
func (t *Transit) List() (*TransitListResponse, error)
Example ¶
c, err := NewClient("https://vault:8200/",
WithCaPath(""),
WithAuthToken("SECRET"),
)
if err != nil {
log.Fatal(err)
}
l, err := c.TransitWithMountPoint("transit").List()
if err != nil {
log.Fatal()
}
log.Println(l)
Output:
func (*Transit) Sign ¶ added in v0.1.3
func (t *Transit) Sign(key string, opts *TransitSignOptions) (*TransitSignResponse, error)
func (*Transit) SignBatch ¶ added in v0.1.3
func (t *Transit) SignBatch(key string, opts *TransitSignOptionsBatch) (*TransitSignResponseBatch, error)
func (*Transit) Verify ¶ added in v0.1.3
func (t *Transit) Verify(key string, opts *TransitVerifyOptions) (*TransitVerifyResponse, error)
func (*Transit) VerifyBatch ¶ added in v0.1.3
func (t *Transit) VerifyBatch(key string, opts *TransitVerifyOptionsBatch) (*TransitVerifyResponseBatch, error)
type TransitBatchCiphertext ¶
type TransitBatchPlaintext ¶
type TransitBatchSignInput ¶ added in v0.1.3
type TransitBatchSignature ¶ added in v0.1.3
type TransitBatchVerifyData ¶ added in v0.1.3
type TransitBatchVerifyData struct {
Valid bool `json:"valid"`
}
type TransitBatchVerifyInput ¶ added in v0.1.3
type TransitCreateOptions ¶
type TransitDecryptOptions ¶
type TransitDecryptOptionsBatch ¶
type TransitDecryptOptionsBatch struct {
BatchInput []TransitBatchCiphertext `json:"batch_input"`
}
type TransitDecryptResponse ¶
type TransitDecryptResponse struct {
Data struct {
Plaintext string `json:"plaintext"`
} `json:"data"`
}
type TransitDecryptResponseBatch ¶
type TransitDecryptResponseBatch struct {
Data struct {
BatchResults []TransitBatchPlaintext `json:"batch_results"`
} `json:"data"`
}
type TransitEncryptOptions ¶
type TransitEncryptOptions struct {
Plaintext string `json:"plaintext"`
Context string `json:"context,omitempty"`
KeyVersion *int `json:"key_version,omitempty"`
Nonce string `json:"nonce,omitempty"`
Type string `json:"type,omitempty"`
ConvergentEncryption string `json:"convergent_encryption,omitempty"`
}
type TransitEncryptOptionsBatch ¶
type TransitEncryptOptionsBatch struct {
BatchInput []TransitBatchPlaintext `json:"batch_input"`
KeyVersion *int `json:"key_version,omitempty"`
Type string `json:"type,omitempty"`
ConvergentEncryption string `json:"convergent_encryption,omitempty"`
}
type TransitEncryptResponse ¶
type TransitEncryptResponse struct {
Data struct {
Ciphertext string `json:"ciphertext"`
} `json:"data"`
}
type TransitEncryptResponseBatch ¶
type TransitEncryptResponseBatch struct {
Data struct {
BatchResults []TransitBatchCiphertext `json:"batch_results"`
} `json:"data"`
}
type TransitExportOptions ¶
type TransitExportResponse ¶
type TransitListResponse ¶
type TransitListResponse struct {
Data struct {
Keys []string `json:"keys"`
} `json:"data"`
}
type TransitReadResponse ¶
type TransitReadResponse struct {
Data TransitReadResponseData `json:"data"`
}
type TransitReadResponseData ¶
type TransitReadResponseData struct {
Name string `json:"name"`
Type string `json:"type"`
Keys map[int]interface{} `json:"keys"`
MinDecryptionVersion int `json:"min_decrytion_version"`
MinEncryptionVersion int `json:"min_encryption_version"`
LatestVersion int `json:"latest_version"`
DeletionAllowed bool `json:"deletion_allowed"`
Derived bool `json:"derived"`
Exportable bool `json:"exportable"`
AllowPlaintextBackup bool `json:"allow_plaintext_backup"`
SupportsEncryption bool `json:"supports_encryption"`
SupportsDecryption bool `json:"supports_decryption"`
SupportsDerivation bool `json:"supports_derivation"`
SupportsSigning bool `json:"supports_signing"`
}
type TransitSignOptions ¶ added in v0.1.3
type TransitSignOptions struct {
Input string `json:"input"`
KeyVersion *int `json:"key_version,omitempty"`
HashAlgorithm string `json:"hash_algorithm,omitempty"`
Context string `json:"context,omitempty"`
Prehashed bool `json:"prehashed,omitempty"`
SignatureAlgorithm string `json:"signature_algorithm,omitempty"`
MarshalingAlgorithm string `json:"marshaling_algorithm,omitempty"`
SaltLength string `json:"salt_length,omitempty"`
}
type TransitSignOptionsBatch ¶ added in v0.1.3
type TransitSignOptionsBatch struct {
BatchInput []TransitBatchSignInput `json:"batch_input"`
KeyVersion *int `json:"key_version,omitempty"`
HashAlgorithm string `json:"hash_algorithm,omitempty"`
Prehashed bool `json:"prehashed,omitempty"`
SignatureAlgorithm string `json:"signature_algorithm,omitempty"`
MarshalingAlgorithm string `json:"marshaling_algorithm,omitempty"`
SaltLength string `json:"salt_length,omitempty"`
}
type TransitSignResponse ¶ added in v0.1.3
type TransitSignResponseBatch ¶ added in v0.1.3
type TransitSignResponseBatch struct {
Data struct {
BatchResults []TransitBatchSignature `json:"batch_results"`
} `json:"data"`
}
type TransitUpdateOptions ¶
type TransitUpdateOptions struct {
MinDecryptionVersion int `json:"min_decrytion_version,omitempty"`
MinEncryptionVersion int `json:"min_encryption_version,omitempty"`
DeletionAllowed *bool `json:"deletion_allowed,omitempty"`
Exportable *bool `json:"exportable,omitempty"`
AllowPlaintextBackup *bool `json:"allow_plaintext_backup,omitempty"`
}
type TransitVerifyOptions ¶ added in v0.1.3
type TransitVerifyOptions struct {
Input string `json:"input"`
Signature string `json:"signature"`
HashAlgorithm string `json:"hash_algorithm,omitempty"`
Context string `json:"context,omitempty"`
Prehashed bool `json:"prehashed,omitempty"`
SignatureAlgorithm string `json:"signature_algorithm,omitempty"`
MarshalingAlgorithm string `json:"marshaling_algorithm,omitempty"`
SaltLength string `json:"salt_length,omitempty"`
}
type TransitVerifyOptionsBatch ¶ added in v0.1.3
type TransitVerifyOptionsBatch struct {
BatchInput []TransitBatchVerifyInput `json:"batch_input"`
HashAlgorithm string `json:"hash_algorithm,omitempty"`
Context string `json:"context,omitempty"`
Prehashed bool `json:"prehashed,omitempty"`
SignatureAlgorithm string `json:"signature_algorithm,omitempty"`
MarshalingAlgorithm string `json:"marshaling_algorithm,omitempty"`
SaltLength string `json:"salt_length,omitempty"`
}
type TransitVerifyResponse ¶ added in v0.1.3
type TransitVerifyResponse struct {
Data struct {
Valid bool `json:"valid"`
} `json:"data"`
}
type TransitVerifyResponseBatch ¶ added in v0.1.3
type TransitVerifyResponseBatch struct {
Data struct {
BatchResults []TransitBatchVerifyData `json:"batch_results"`
} `json:"data"`
}
type UserpassAuth ¶ added in v0.1.6
type UserpassAuth struct {
Client *Client
// contains filtered or unexported fields
}
func (UserpassAuth) Auth ¶ added in v0.1.6
func (k UserpassAuth) Auth() (*AuthResponse, error)
type UserpassAuthOpt ¶ added in v0.1.6
type UserpassAuthOpt func(k *UserpassAuth) error
func WithUserpassMountPoint ¶ added in v0.1.6
func WithUserpassMountPoint(mountPoint string) UserpassAuthOpt
Source Files
Click to show internal directories.
Click to hide internal directories.