Documentation ¶
Index ¶
- Constants
- Variables
- type Audit
- type Auth
- type AuthConfigInput
- type AuthConfigOutput
- type AuthMount
- type CORSRequest
- type CORSResponse
- type Client
- func (c *Client) Address() string
- func (c *Client) Auth() *Auth
- func (c *Client) ClearToken()
- func (c *Client) Clone() (*Client, error)
- func (c *Client) Help(path string) (*Help, error)
- func (c *Client) Logical() *Logical
- func (c *Client) NewRenewer(i *RenewerInput) (*Renewer, error)
- func (c *Client) NewRequest(method, requestPath string) *Request
- func (c *Client) RawRequest(r *Request) (*Response, error)
- func (c *Client) SSH() *SSH
- func (c *Client) SSHHelper() *SSHHelper
- func (c *Client) SSHHelperWithMountPoint(mountPoint string) *SSHHelper
- func (c *Client) SSHWithMountPoint(mountPoint string) *SSH
- func (c *Client) SetAddress(addr string) error
- func (c *Client) SetClientTimeout(timeout time.Duration)
- func (c *Client) SetHeaders(headers http.Header)
- func (c *Client) SetMFACreds(creds []string)
- func (c *Client) SetMaxRetries(retries int)
- func (c *Client) SetPolicyOverride(override bool)
- func (c *Client) SetToken(v string)
- func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc)
- func (c *Client) Sys() *Sys
- func (c *Client) Token() string
- type Config
- type EnableAuditOptions
- type EnableAuthOptions
- type ErrorResponse
- type GenerateRootStatusResponse
- type HealthResponse
- type Help
- type InitRequest
- type InitResponse
- type InitStatusResponse
- type KeyStatus
- type LeaderResponse
- type Logical
- func (c *Logical) Delete(path string) (*Secret, error)
- func (c *Logical) List(path string) (*Secret, error)
- func (c *Logical) Read(path string) (*Secret, error)
- func (c *Logical) Unwrap(wrappingToken string) (*Secret, error)
- func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error)
- type MountConfigInput
- type MountConfigOutput
- type MountInput
- type MountOutput
- type RekeyInitRequest
- type RekeyRetrieveResponse
- type RekeyStatusResponse
- type RekeyUpdateResponse
- type RenewOutput
- type Renewer
- type RenewerInput
- type Request
- type Response
- type SSH
- type SSHHelper
- type SSHHelperConfig
- type SSHVerifyResponse
- type SealStatusResponse
- type Secret
- func (s *Secret) TokenAccessor() (string, error)
- func (s *Secret) TokenID() (string, error)
- func (s *Secret) TokenIsRenewable() (bool, error)
- func (s *Secret) TokenMetadata() (map[string]string, error)
- func (s *Secret) TokenPolicies() ([]string, error)
- func (s *Secret) TokenRemainingUses() (int, error)
- func (s *Secret) TokenTTL() (time.Duration, error)
- type SecretAuth
- type SecretWrapInfo
- type Sys
- func (c *Sys) AuditHash(path string, input string) (string, error)
- func (c *Sys) CORSStatus() (*CORSResponse, error)
- func (c *Sys) Capabilities(token, path string) ([]string, error)
- func (c *Sys) CapabilitiesSelf(path string) ([]string, error)
- func (c *Sys) ConfigureCORS(req *CORSRequest) (*CORSResponse, error)
- func (c *Sys) DeletePolicy(name string) error
- func (c *Sys) DisableAudit(path string) error
- func (c *Sys) DisableAuth(path string) error
- func (c *Sys) DisableCORS() (*CORSResponse, error)
- func (c *Sys) EnableAudit(path string, auditType string, desc string, opts map[string]string) error
- func (c *Sys) EnableAuditWithOptions(path string, options *EnableAuditOptions) error
- func (c *Sys) EnableAuth(path, authType, desc string) error
- func (c *Sys) EnableAuthWithOptions(path string, options *EnableAuthOptions) error
- func (c *Sys) GenerateDROperationTokenCancel() error
- func (c *Sys) GenerateDROperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateDROperationTokenStatus() (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateDROperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootCancel() error
- func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GetPolicy(name string) (string, error)
- func (c *Sys) Health() (*HealthResponse, error)
- func (c *Sys) Init(opts *InitRequest) (*InitResponse, error)
- func (c *Sys) InitStatus() (bool, error)
- func (c *Sys) KeyStatus() (*KeyStatus, error)
- func (c *Sys) Leader() (*LeaderResponse, error)
- func (c *Sys) ListAudit() (map[string]*Audit, error)
- func (c *Sys) ListAuth() (map[string]*AuthMount, error)
- func (c *Sys) ListMounts() (map[string]*MountOutput, error)
- func (c *Sys) ListPolicies() ([]string, error)
- func (c *Sys) Mount(path string, mountInfo *MountInput) error
- func (c *Sys) MountConfig(path string) (*MountConfigOutput, error)
- func (c *Sys) PutPolicy(name, rules string) error
- func (c *Sys) RekeyCancel() error
- func (c *Sys) RekeyDeleteBackup() error
- func (c *Sys) RekeyDeleteRecoveryBackup() error
- func (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)
- func (c *Sys) RekeyRecoveryKeyCancel() error
- func (c *Sys) RekeyRecoveryKeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)
- func (c *Sys) RekeyRecoveryKeyStatus() (*RekeyStatusResponse, error)
- func (c *Sys) RekeyRecoveryKeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)
- func (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error)
- func (c *Sys) RekeyRetrieveRecoveryBackup() (*RekeyRetrieveResponse, error)
- func (c *Sys) RekeyStatus() (*RekeyStatusResponse, error)
- func (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)
- func (c *Sys) Remount(from, to string) error
- func (c *Sys) Renew(id string, increment int) (*Secret, error)
- func (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error)
- func (c *Sys) Revoke(id string) error
- func (c *Sys) RevokeForce(id string) error
- func (c *Sys) RevokePrefix(id string) error
- func (c *Sys) Rotate() error
- func (c *Sys) Seal() error
- func (c *Sys) SealStatus() (*SealStatusResponse, error)
- func (c *Sys) StepDown() error
- func (c *Sys) TuneMount(path string, config MountConfigInput) error
- func (c *Sys) Unmount(path string) error
- func (c *Sys) Unseal(shard string) (*SealStatusResponse, error)
- type TLSConfig
- type TokenAuth
- func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error)
- func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error)
- func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error)
- func (c *TokenAuth) Lookup(token string) (*Secret, error)
- func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error)
- func (c *TokenAuth) LookupSelf() (*Secret, error)
- func (c *TokenAuth) Renew(token string, increment int) (*Secret, error)
- func (c *TokenAuth) RenewSelf(increment int) (*Secret, error)
- func (c *TokenAuth) RenewTokenAsSelf(token string, increment int) (*Secret, error)
- func (c *TokenAuth) RevokeAccessor(accessor string) error
- func (c *TokenAuth) RevokeOrphan(token string) error
- func (c *TokenAuth) RevokeSelf(token string) error
- func (c *TokenAuth) RevokeTree(token string) error
- type TokenCreateRequest
- type WrappingLookupFunc
Constants ¶
const ( // SSHHelperDefaultMountPoint is the default path at which SSH backend will be // mounted in the Vault server. SSHHelperDefaultMountPoint = "ssh" // VerifyEchoRequest is the echo request message sent as OTP by the helper. VerifyEchoRequest = "verify-echo-request" // VerifyEchoResponse is the echo response message sent as a response to OTP // matching echo request. VerifyEchoResponse = "verify-echo-response" )
const EnvVaultAddress = "VAULT_ADDR"
const EnvVaultCACert = "VAULT_CACERT"
const EnvVaultCAPath = "VAULT_CAPATH"
const EnvVaultClientCert = "VAULT_CLIENT_CERT"
const EnvVaultClientKey = "VAULT_CLIENT_KEY"
const EnvVaultClientTimeout = "VAULT_CLIENT_TIMEOUT"
const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
const EnvVaultMFA = "VAULT_MFA"
const EnvVaultMaxRetries = "VAULT_MAX_RETRIES"
const EnvVaultTLSServerName = "VAULT_TLS_SERVER_NAME"
const EnvVaultToken = "VAULT_TOKEN"
const EnvVaultWrapTTL = "VAULT_WRAP_TTL"
Variables ¶
var ( // The default TTL that will be used with `sys/wrapping/wrap`, can be // changed DefaultWrappingTTL = "5m" // The default function used if no other function is set, which honors the // env var and wraps `sys/wrapping/wrap` DefaultWrappingLookupFunc = func(operation, path string) string { if os.Getenv(EnvVaultWrapTTL) != "" { return os.Getenv(EnvVaultWrapTTL) } if (operation == "PUT" || operation == "POST") && path == "sys/wrapping/wrap" { return DefaultWrappingTTL } return "" } )
var ( ErrRenewerMissingInput = errors.New("missing input to renewer") ErrRenewerMissingSecret = errors.New("missing secret to renew") ErrRenewerNotRenewable = errors.New("secret is not renewable") ErrRenewerNoSecretData = errors.New("returned empty secret data") // DefaultRenewerGrace is the default grace period DefaultRenewerGrace = 15 * time.Second // DefaultRenewerRenewBuffer is the default size of the buffer for renew // messages on the channel. DefaultRenewerRenewBuffer = 5 )
Functions ¶
This section is empty.
Types ¶
type Auth ¶
type Auth struct {
// contains filtered or unexported fields
}
Auth is used to perform credential backend related operations.
type AuthConfigInput ¶ added in v0.8.2
type AuthConfigInput struct {
PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
}
type AuthConfigOutput ¶ added in v0.6.1
type AuthConfigOutput struct { DefaultLeaseTTL int `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` MaxLeaseTTL int `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"` PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"` }
type AuthMount ¶
type AuthMount struct { Type string `json:"type" structs:"type" mapstructure:"type"` Description string `json:"description" structs:"description" mapstructure:"description"` Accessor string `json:"accessor" structs:"accessor" mapstructure:"accessor"` Config AuthConfigOutput `json:"config" structs:"config" mapstructure:"config"` Local bool `json:"local" structs:"local" mapstructure:"local"` SealWrap bool `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap"` }
type CORSRequest ¶ added in v0.8.0
type CORSResponse ¶ added in v0.8.0
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client is the client to the Vault API. Create a client with NewClient.
func NewClient ¶
NewClient returns a new client for the given configuration.
If the configuration is nil, Vault will use configuration from DefaultConfig(), which is the recommended starting configuration.
If the environment variable `VAULT_TOKEN` is present, the token will be automatically added to the client. Otherwise, you must manually call `SetToken()`.
func (*Client) Address ¶ added in v0.6.3
Address returns the Vault URL the client is configured to connect to
func (*Client) ClearToken ¶
func (c *Client) ClearToken()
ClearToken deletes the token if it is set or does nothing otherwise.
func (*Client) Clone ¶ added in v0.8.0
Clone creates a new client with the same configuration. Note that the same underlying http.Client is used; modifying the client from more than one goroutine at once may not be safe, so modify the client as needed and then clone.
func (*Client) NewRenewer ¶ added in v0.8.0
func (c *Client) NewRenewer(i *RenewerInput) (*Renewer, error)
NewRenewer creates a new renewer from the given input.
func (*Client) NewRequest ¶
NewRequest creates a new raw request object to query the Vault server configured for this client. This is an advanced method and generally doesn't need to be called externally.
func (*Client) RawRequest ¶
RawRequest performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.
func (*Client) SSHHelper ¶ added in v0.5.1
SSHHelper creates an SSHHelper object which can talk to Vault server with SSH backend mounted at default path ("ssh").
func (*Client) SSHHelperWithMountPoint ¶ added in v0.5.1
SSHHelperWithMountPoint creates an SSHHelper object which can talk to Vault server with SSH backend mounted at a specific mount point.
func (*Client) SSHWithMountPoint ¶ added in v0.3.0
SSHWithMountPoint returns the client with specific SSH mount point.
func (*Client) SetAddress ¶ added in v0.6.1
Sets the address of Vault in the client. The format of address should be "<Scheme>://<Host>:<Port>". Setting this on a client will override the value of VAULT_ADDR environment variable.
func (*Client) SetClientTimeout ¶ added in v0.8.0
SetClientTimeout sets the client request timeout
func (*Client) SetHeaders ¶ added in v0.9.0
SetHeaders sets the headers to be used for future requests.
func (*Client) SetMFACreds ¶ added in v0.9.0
SetMFACreds sets the MFA credentials supplied either via the environment variable or via the command line.
func (*Client) SetMaxRetries ¶ added in v0.7.0
SetMaxRetries sets the number of retries that will be used in the case of certain errors
func (*Client) SetPolicyOverride ¶ added in v0.9.0
SetPolicyOverride sets whether requests should be sent with the policy override flag to request overriding soft-mandatory Sentinel policies (both RGPs and EGPs)
func (*Client) SetToken ¶
SetToken sets the token directly. This won't perform any auth verification, it simply sets the token properly for future requests.
func (*Client) SetWrappingLookupFunc ¶ added in v0.6.0
func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc)
SetWrappingLookupFunc sets a lookup function that returns desired wrap TTLs for a given operation and path
type Config ¶
type Config struct { // Address is the address of the Vault server. This should be a complete // URL such as "http://vault.example.com". If you need a custom SSL // cert or want to enable insecure mode, you need to specify a custom // HttpClient. Address string // HttpClient is the HTTP client to use. Vault sets sane defaults for the // http.Client and its associated http.Transport created in DefaultConfig. // If you must modify Vault's defaults, it is suggested that you start with // that client and modify as needed rather than start with an empty client // (or http.DefaultClient). HttpClient *http.Client // MaxRetries controls the maximum number of times to retry when a 5xx error // occurs. Set to 0 or less to disable retrying. Defaults to 0. MaxRetries int // Timeout is for setting custom timeout parameter in the HttpClient Timeout time.Duration // If there is an error when creating the configuration, this will be the // error Error error // contains filtered or unexported fields }
Config is used to configure the creation of the client.
func DefaultConfig ¶
func DefaultConfig() *Config
DefaultConfig returns a default configuration for the client. It is safe to modify the return value of this function.
The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `VAULT_ADDR` environment variable.
If an error is encountered, this will return nil.
func (*Config) ConfigureTLS ¶ added in v0.6.1
ConfigureTLS takes a set of TLS configurations and applies those to the the HTTP client.
func (*Config) ReadEnvironment ¶ added in v0.4.0
ReadEnvironment reads configuration information from the environment. If there is an error, no configuration value is updated.
type EnableAuditOptions ¶ added in v0.7.0
type EnableAuthOptions ¶ added in v0.7.0
type EnableAuthOptions struct { Type string `json:"type" structs:"type"` Description string `json:"description" structs:"description"` Config AuthConfigInput `json:"config" structs:"config"` Local bool `json:"local" structs:"local"` PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty"` SealWrap bool `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap"` }
type ErrorResponse ¶
type ErrorResponse struct {
Errors []string
}
ErrorResponse is the raw structure of errors when they're returned by the HTTP API.
type GenerateRootStatusResponse ¶ added in v0.5.0
type GenerateRootStatusResponse struct { Nonce string `json:"nonce"` Started bool `json:"started"` Progress int `json:"progress"` Required int `json:"required"` Complete bool `json:"complete"` EncodedToken string `json:"encoded_token"` EncodedRootToken string `json:"encoded_root_token"` PGPFingerprint string `json:"pgp_fingerprint"` }
type HealthResponse ¶ added in v0.7.3
type HealthResponse struct { Initialized bool `json:"initialized"` Sealed bool `json:"sealed"` Standby bool `json:"standby"` ReplicationPerformanceMode string `json:"replication_performance_mode"` ReplicationDRMode string `json:"replication_dr_mode"` ServerTimeUTC int64 `json:"server_time_utc"` Version string `json:"version"` ClusterName string `json:"cluster_name,omitempty"` ClusterID string `json:"cluster_id,omitempty"` }
type InitRequest ¶
type InitResponse ¶
type InitStatusResponse ¶
type InitStatusResponse struct {
Initialized bool
}
type LeaderResponse ¶
type Logical ¶
type Logical struct {
// contains filtered or unexported fields
}
Logical is used to perform logical backend operations on Vault.
type MountConfigInput ¶ added in v0.3.0
type MountConfigInput struct { DefaultLeaseTTL string `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` MaxLeaseTTL string `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"` ForceNoCache bool `json:"force_no_cache" structs:"force_no_cache" mapstructure:"force_no_cache"` PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"` }
type MountConfigOutput ¶ added in v0.3.0
type MountConfigOutput struct { DefaultLeaseTTL int `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` MaxLeaseTTL int `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"` ForceNoCache bool `json:"force_no_cache" structs:"force_no_cache" mapstructure:"force_no_cache"` PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"` }
type MountInput ¶ added in v0.3.0
type MountInput struct { Type string `json:"type" structs:"type"` Description string `json:"description" structs:"description"` Config MountConfigInput `json:"config" structs:"config"` Local bool `json:"local" structs:"local"` PluginName string `json:"plugin_name,omitempty" structs:"plugin_name"` SealWrap bool `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap"` }
type MountOutput ¶ added in v0.3.0
type MountOutput struct { Type string `json:"type" structs:"type"` Description string `json:"description" structs:"description"` Accessor string `json:"accessor" structs:"accessor"` Config MountConfigOutput `json:"config" structs:"config"` Local bool `json:"local" structs:"local"` SealWrap bool `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap"` }
type RekeyInitRequest ¶ added in v0.2.0
type RekeyRetrieveResponse ¶ added in v0.5.0
type RekeyStatusResponse ¶ added in v0.2.0
type RekeyUpdateResponse ¶ added in v0.2.0
type RenewOutput ¶ added in v0.8.0
type RenewOutput struct { // RenewedAt is the timestamp when the renewal took place (UTC). RenewedAt time.Time // Secret is the underlying renewal data. It's the same struct as all data // that is returned from Vault, but since this is renewal data, it will not // usually include the secret itself. Secret *Secret }
RenewOutput is the metadata returned to the client (if it's listening) to renew messages.
type Renewer ¶ added in v0.8.0
type Renewer struct {
// contains filtered or unexported fields
}
Renewer is a process for renewing a secret.
renewer, err := client.NewRenewer(&RenewerInput{ Secret: mySecret, }) go renewer.Renew() defer renewer.Stop() for { select { case err := <-renewer.DoneCh(): if err != nil { log.Fatal(err) } // Renewal is now over case renewal := <-renewer.RenewCh(): log.Printf("Successfully renewed: %#v", renewal) } }
The `DoneCh` will return if renewal fails or if the remaining lease duration after a renewal is less than or equal to the grace (in number of seconds). In both cases, the caller should attempt a re-read of the secret. Clients should check the return value of the channel to see if renewal was successful.
func (*Renewer) DoneCh ¶ added in v0.8.0
DoneCh returns the channel where the renewer will publish when renewal stops. If there is an error, this will be an error.
func (*Renewer) Renew ¶ added in v0.8.0
func (r *Renewer) Renew()
Renew starts a background process for renewing this secret. When the secret is has auth data, this attempts to renew the auth (token). When the secret has a lease, this attempts to renew the lease.
func (*Renewer) RenewCh ¶ added in v0.8.0
func (r *Renewer) RenewCh() <-chan *RenewOutput
RenewCh is a channel that receives a message when a successful renewal takes place and includes metadata about the renewal.
type RenewerInput ¶ added in v0.8.0
type RenewerInput struct { // Secret is the secret to renew Secret *Secret // Grace is a minimum renewal before returning so the upstream client // can do a re-read. This can be used to prevent clients from waiting // too long to read a new credential and incur downtime. Grace time.Duration // Rand is the randomizer to use for underlying randomization. If not // provided, one will be generated and seeded automatically. If provided, it // is assumed to have already been seeded. Rand *rand.Rand // RenewBuffer is the size of the buffered channel where renew messages are // dispatched. RenewBuffer int // The new TTL, in seconds, that should be set on the lease. The TTL set // here may or may not be honored by the vault server, based on Vault // configuration or any associated max TTL values. Increment int }
RenewerInput is used as input to the renew function.
type Request ¶
type Request struct { Method string URL *url.URL Params url.Values Headers http.Header ClientToken string MFAHeaderVals []string WrapTTL string Obj interface{} Body io.Reader BodySize int64 // Whether to request overriding soft-mandatory Sentinel policies (RGPs and // EGPs). If set, the override flag will take effect for all policies // evaluated during the request. PolicyOverride bool }
Request is a raw request configuration structure used to initiate API requests to the Vault server.
func (*Request) ResetJSONBody ¶
ResetJSONBody is used to reset the body for a redirect
func (*Request) SetJSONBody ¶
SetJSONBody is used to set a request body that is a JSON-encoded value.
type Response ¶
Response is a raw response that wraps an HTTP response.
func (*Response) DecodeJSON ¶
DecodeJSON will decode the response body to a JSON structure. This will consume the response body, but will not close it. Close must still be called.
type SSH ¶ added in v0.3.0
type SSH struct { MountPoint string // contains filtered or unexported fields }
SSH is used to return a client to invoke operations on SSH backend.
func (*SSH) Credential ¶ added in v0.3.0
Credential invokes the SSH backend API to create a credential to establish an SSH session.
type SSHHelper ¶ added in v0.5.1
type SSHHelper struct { MountPoint string // contains filtered or unexported fields }
SSHHelper is a structure representing a vault-ssh-helper which can talk to vault server in order to verify the OTP entered by the user. It contains the path at which SSH backend is mounted at the server.
func (*SSHHelper) Verify ¶ added in v0.5.1
func (c *SSHHelper) Verify(otp string) (*SSHVerifyResponse, error)
Verify verifies if the key provided by user is present in Vault server. The response will contain the IP address and username associated with the OTP. In case the OTP matches the echo request message, instead of searching an entry for the OTP, an echo response message is returned. This feature is used by ssh-helper to verify if its configured correctly.
type SSHHelperConfig ¶ added in v0.5.1
type SSHHelperConfig struct { VaultAddr string `hcl:"vault_addr"` SSHMountPoint string `hcl:"ssh_mount_point"` CACert string `hcl:"ca_cert"` CAPath string `hcl:"ca_path"` AllowedCidrList string `hcl:"allowed_cidr_list"` AllowedRoles string `hcl:"allowed_roles"` TLSSkipVerify bool `hcl:"tls_skip_verify"` TLSServerName string `hcl:"tls_server_name"` }
SSHHelperConfig is a structure which represents the entries from the vault-ssh-helper's configuration file.
func LoadSSHHelperConfig ¶ added in v0.5.1
func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error)
LoadSSHHelperConfig loads ssh-helper's configuration from the file and populates the corresponding in-memory structure.
Vault address is a required parameter. Mount point defaults to "ssh".
func ParseSSHHelperConfig ¶ added in v0.5.2
func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error)
ParseSSHHelperConfig parses the given contents as a string for the SSHHelper configuration.
func (*SSHHelperConfig) NewClient ¶ added in v0.5.1
func (c *SSHHelperConfig) NewClient() (*Client, error)
NewClient returns a new client for the configuration. This client will be used by the vault-ssh-helper to communicate with Vault server and verify the OTP entered by user. If the configuration supplies Vault SSL certificates, then the client will have TLS configured in its transport.
func (*SSHHelperConfig) SetTLSParameters ¶ added in v0.5.1
func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool)
SetTLSParameters sets the TLS parameters for this SSH agent.
type SSHVerifyResponse ¶ added in v0.3.0
type SSHVerifyResponse struct { // Usually empty. If the request OTP is echo request message, this will // be set to the corresponding echo response message. Message string `json:"message" structs:"message" mapstructure:"message"` // Username associated with the OTP Username string `json:"username" structs:"username" mapstructure:"username"` // IP associated with the OTP IP string `json:"ip" structs:"ip" mapstructure:"ip"` // Name of the role against which the OTP was issued RoleName string `json:"role_name" structs:"role_name" mapstructure:"role_name"` }
SSHVerifyResponse is a structure representing the fields in Vault server's response.
type SealStatusResponse ¶
type SealStatusResponse struct { Type string `json:"type"` Sealed bool `json:"sealed"` T int `json:"t"` N int `json:"n"` Progress int `json:"progress"` Nonce string `json:"nonce"` Version string `json:"version"` ClusterName string `json:"cluster_name,omitempty"` ClusterID string `json:"cluster_id,omitempty"` RecoverySeal bool `json:"recovery_seal"` }
type Secret ¶
type Secret struct { // The request ID that generated this response RequestID string `json:"request_id"` LeaseID string `json:"lease_id"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` // Data is the actual contents of the secret. The format of the data // is arbitrary and up to the secret backend. Data map[string]interface{} `json:"data"` // Warnings contains any warnings related to the operation. These // are not issues that caused the command to fail, but that the // client should be aware of. Warnings []string `json:"warnings"` // Auth, if non-nil, means that there was authentication information // attached to this response. Auth *SecretAuth `json:"auth,omitempty"` // WrapInfo, if non-nil, means that the initial response was wrapped in the // cubbyhole of the given token (which has a TTL of the given number of // seconds) WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"` }
Secret is the structure returned for every secret within Vault.
func ParseSecret ¶
ParseSecret is used to parse a secret value from JSON from an io.Reader.
func (*Secret) TokenAccessor ¶ added in v0.9.2
TokenAccessor returns the standardized token accessor for the given secret. If the secret is nil or does not contain an accessor, this returns the empty string.
func (*Secret) TokenID ¶ added in v0.9.2
TokenID returns the standardized token ID (token) for the given secret.
func (*Secret) TokenIsRenewable ¶ added in v0.9.2
TokenIsRenewable returns the standardized token renewability for the given secret. If the secret is nil or does not contain the "renewable" key, this returns false.
func (*Secret) TokenMetadata ¶ added in v0.9.2
TokenMetadata returns the map of metadata associated with this token, if any exists. If the secret is nil or does not contain the "metadata" key, this returns nil.
func (*Secret) TokenPolicies ¶ added in v0.9.2
TokenPolicies returns the standardized list of policies for the given secret. If the secret is nil or does not contain any policies, this returns nil.
func (*Secret) TokenRemainingUses ¶ added in v0.9.2
TokenRemainingUses returns the standardized remaining uses for the given secret. If the secret is nil or does not contain the "num_uses", this returns -1. On error, this will return -1 and a non-nil error.
type SecretAuth ¶
type SecretAuth struct { ClientToken string `json:"client_token"` Accessor string `json:"accessor"` Policies []string `json:"policies"` Metadata map[string]string `json:"metadata"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` }
SecretAuth is the structure containing auth information if we have it.
type SecretWrapInfo ¶ added in v0.6.0
type SecretWrapInfo struct { Token string `json:"token"` Accessor string `json:"accessor"` TTL int `json:"ttl"` CreationTime time.Time `json:"creation_time"` CreationPath string `json:"creation_path"` WrappedAccessor string `json:"wrapped_accessor"` }
SecretWrapInfo contains wrapping information if we have it. If what is contained is an authentication token, the accessor for the token will be available in WrappedAccessor.
type Sys ¶
type Sys struct {
// contains filtered or unexported fields
}
Sys is used to perform system-related operations on Vault.
func (*Sys) CORSStatus ¶ added in v0.8.0
func (c *Sys) CORSStatus() (*CORSResponse, error)
func (*Sys) Capabilities ¶ added in v0.5.2
func (*Sys) CapabilitiesSelf ¶ added in v0.5.2
func (*Sys) ConfigureCORS ¶ added in v0.8.0
func (c *Sys) ConfigureCORS(req *CORSRequest) (*CORSResponse, error)
func (*Sys) DeletePolicy ¶
func (*Sys) DisableAudit ¶
func (*Sys) DisableAuth ¶
func (*Sys) DisableCORS ¶ added in v0.8.0
func (c *Sys) DisableCORS() (*CORSResponse, error)
func (*Sys) EnableAudit ¶
func (c *Sys) EnableAudit( path string, auditType string, desc string, opts map[string]string) error
DEPRECATED: Use EnableAuditWithOptions instead
func (*Sys) EnableAuditWithOptions ¶ added in v0.7.0
func (c *Sys) EnableAuditWithOptions(path string, options *EnableAuditOptions) error
func (*Sys) EnableAuth ¶
DEPRECATED: Use EnableAuthWithOptions instead
func (*Sys) EnableAuthWithOptions ¶ added in v0.7.0
func (c *Sys) EnableAuthWithOptions(path string, options *EnableAuthOptions) error
func (*Sys) GenerateDROperationTokenCancel ¶ added in v0.9.0
func (*Sys) GenerateDROperationTokenInit ¶ added in v0.9.0
func (c *Sys) GenerateDROperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)
func (*Sys) GenerateDROperationTokenStatus ¶ added in v0.9.0
func (c *Sys) GenerateDROperationTokenStatus() (*GenerateRootStatusResponse, error)
func (*Sys) GenerateDROperationTokenUpdate ¶ added in v0.9.0
func (c *Sys) GenerateDROperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRootCancel ¶ added in v0.5.0
func (*Sys) GenerateRootInit ¶ added in v0.5.0
func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRootStatus ¶ added in v0.5.0
func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRootUpdate ¶ added in v0.5.0
func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)
func (*Sys) Health ¶ added in v0.7.3
func (c *Sys) Health() (*HealthResponse, error)
func (*Sys) Init ¶
func (c *Sys) Init(opts *InitRequest) (*InitResponse, error)
func (*Sys) InitStatus ¶
func (*Sys) Leader ¶
func (c *Sys) Leader() (*LeaderResponse, error)
func (*Sys) ListMounts ¶
func (c *Sys) ListMounts() (map[string]*MountOutput, error)
func (*Sys) ListPolicies ¶
func (*Sys) MountConfig ¶ added in v0.3.0
func (c *Sys) MountConfig(path string) (*MountConfigOutput, error)
func (*Sys) RekeyCancel ¶ added in v0.2.0
func (*Sys) RekeyDeleteBackup ¶ added in v0.5.0
func (*Sys) RekeyDeleteRecoveryBackup ¶ added in v0.6.0
func (*Sys) RekeyInit ¶ added in v0.2.0
func (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)
func (*Sys) RekeyRecoveryKeyCancel ¶ added in v0.6.0
func (*Sys) RekeyRecoveryKeyInit ¶ added in v0.6.0
func (c *Sys) RekeyRecoveryKeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)
func (*Sys) RekeyRecoveryKeyStatus ¶ added in v0.6.0
func (c *Sys) RekeyRecoveryKeyStatus() (*RekeyStatusResponse, error)
func (*Sys) RekeyRecoveryKeyUpdate ¶ added in v0.6.0
func (c *Sys) RekeyRecoveryKeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)
func (*Sys) RekeyRetrieveBackup ¶ added in v0.5.0
func (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error)
func (*Sys) RekeyRetrieveRecoveryBackup ¶ added in v0.6.0
func (c *Sys) RekeyRetrieveRecoveryBackup() (*RekeyRetrieveResponse, error)
func (*Sys) RekeyStatus ¶ added in v0.2.0
func (c *Sys) RekeyStatus() (*RekeyStatusResponse, error)
func (*Sys) RekeyUpdate ¶ added in v0.2.0
func (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)
func (*Sys) ResetUnsealProcess ¶ added in v0.4.0
func (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error)
func (*Sys) RevokeForce ¶ added in v0.5.2
func (*Sys) RevokePrefix ¶
func (*Sys) SealStatus ¶
func (c *Sys) SealStatus() (*SealStatusResponse, error)
type TLSConfig ¶ added in v0.6.1
type TLSConfig struct { // CACert is the path to a PEM-encoded CA cert file to use to verify the // Vault server SSL certificate. CACert string // CAPath is the path to a directory of PEM-encoded CA cert files to verify // the Vault server SSL certificate. CAPath string // ClientCert is the path to the certificate for Vault communication ClientCert string // ClientKey is the path to the private key for Vault communication ClientKey string // TLSServerName, if set, is used to set the SNI host when connecting via // TLS. TLSServerName string // Insecure enables or disables SSL verification Insecure bool }
TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault.
type TokenAuth ¶
type TokenAuth struct {
// contains filtered or unexported fields
}
TokenAuth is used to perform token backend operations on Vault
func (*TokenAuth) CreateOrphan ¶ added in v0.6.2
func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error)
func (*TokenAuth) CreateWithRole ¶ added in v0.5.2
func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error)
func (*TokenAuth) LookupAccessor ¶ added in v0.5.2
func (*TokenAuth) LookupSelf ¶ added in v0.4.0
func (*TokenAuth) RenewTokenAsSelf ¶ added in v0.8.0
RenewTokenAsSelf behaves like renew-self, but authenticates using a provided token instead of the token attached to the client.
func (*TokenAuth) RevokeAccessor ¶ added in v0.5.2
RevokeAccessor revokes a token associated with the given accessor along with all the child tokens.
func (*TokenAuth) RevokeOrphan ¶
RevokeOrphan revokes a token without revoking the tree underneath it (so child tokens are orphaned rather than revoked)
func (*TokenAuth) RevokeSelf ¶ added in v0.4.0
RevokeSelf revokes the token making the call. The `token` parameter is kept for backwards compatibility but is ignored; only the client's set token has an effect.
func (*TokenAuth) RevokeTree ¶
RevokeTree is the "normal" revoke operation that revokes the given token and the entire tree underneath -- all of its child tokens, their child tokens, etc.
type TokenCreateRequest ¶
type TokenCreateRequest struct { ID string `json:"id,omitempty"` Policies []string `json:"policies,omitempty"` Metadata map[string]string `json:"meta,omitempty"` Lease string `json:"lease,omitempty"` TTL string `json:"ttl,omitempty"` ExplicitMaxTTL string `json:"explicit_max_ttl,omitempty"` Period string `json:"period,omitempty"` NoParent bool `json:"no_parent,omitempty"` NoDefaultPolicy bool `json:"no_default_policy,omitempty"` DisplayName string `json:"display_name"` NumUses int `json:"num_uses"` Renewable *bool `json:"renewable,omitempty"` }
TokenCreateRequest is the options structure for creating a token.
type WrappingLookupFunc ¶ added in v0.6.0
WrappingLookupFunc is a function that, given an HTTP verb and a path, returns an optional string duration to be used for response wrapping (e.g. "15s", or simply "15"). The path will not begin with "/v1/" or "v1/" or "/", however, end-of-path forward slashes are not trimmed, so must match your called path precisely.
Source Files ¶
- auth.go
- auth_token.go
- client.go
- help.go
- logical.go
- renewer.go
- request.go
- response.go
- secret.go
- ssh.go
- ssh_agent.go
- sys.go
- sys_audit.go
- sys_auth.go
- sys_capabilities.go
- sys_config_cors.go
- sys_generate_root.go
- sys_health.go
- sys_init.go
- sys_leader.go
- sys_leases.go
- sys_mounts.go
- sys_policy.go
- sys_rekey.go
- sys_rotate.go
- sys_seal.go
- sys_stepdown.go