Documentation ¶
Overview ¶
Package vault is a generated protocol buffer package.
It is generated from these files:
request_forwarding_service.proto
It has these top-level messages:
EchoRequest EchoReply
Index ¶
- Constants
- Variables
- func AddTestCredentialBackend(name string, factory logical.Factory) error
- func AddTestLogicalBackend(name string, factory logical.Factory) error
- func CubbyholeBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func GenerateRandBytes(length int) ([]byte, error)
- func LeaseSwitchedPassthroughBackend(ctx context.Context, conf *logical.BackendConfig, leases bool) (logical.Backend, error)
- func LeasedPassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func NewSealUnwrapper(underlying physical.Backend, logger log.Logger) physical.Backend
- func PassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func RegisterRequestForwardingServer(s *grpc.Server, srv RequestForwardingServer)
- func StartSSHHostTestServer() (string, error)
- func TestAddTestPlugin(t testing.T, c *Core, name, testFunc string)
- func TestAddTestPluginTempDir(t testing.T, c *Core, name, testFunc, tempDir string)
- func TestCoreInit(t testing.T, core *Core) ([][]byte, string)
- func TestCoreInitClusterWrapperSetup(t testing.T, core *Core, clusterAddrs []*net.TCPAddr, handler http.Handler) ([][]byte, [][]byte, string)
- func TestCoreUnseal(core *Core, key []byte) (bool, error)
- func TestCoreUnsealWithRecoveryKeys(core *Core, key []byte) (bool, error)
- func TestCoreWithBackendTokenStore(t testing.T, backend physical.Backend) (*Core, *TokenStore, [][]byte, string)
- func TestCoreWithTokenStore(t testing.T) (*Core, *TokenStore, [][]byte, string)
- func TestDynamicSystemView(c *Core) *dynamicSystemView
- func TestKeyCopy(key []byte) []byte
- func TestWaitActive(t testing.T, core *Core)
- type ACL
- type ACLPermissions
- type ACLResults
- type AESGCMBarrier
- func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error)
- func (b *AESGCMBarrier) CheckUpgrade(ctx context.Context) (bool, uint32, error)
- func (b *AESGCMBarrier) CreateUpgrade(ctx context.Context, term uint32) error
- func (b *AESGCMBarrier) Decrypt(ctx context.Context, key string, ciphertext []byte) ([]byte, error)
- func (b *AESGCMBarrier) Delete(ctx context.Context, key string) error
- func (b *AESGCMBarrier) DestroyUpgrade(ctx context.Context, term uint32) error
- func (b *AESGCMBarrier) Encrypt(ctx context.Context, key string, plaintext []byte) ([]byte, error)
- func (b *AESGCMBarrier) GenerateKey() ([]byte, error)
- func (b *AESGCMBarrier) Get(ctx context.Context, key string) (*Entry, error)
- func (b *AESGCMBarrier) Initialize(ctx context.Context, key []byte) error
- func (b *AESGCMBarrier) Initialized(ctx context.Context) (bool, error)
- func (b *AESGCMBarrier) KeyLength() (int, int)
- func (b *AESGCMBarrier) Keyring() (*Keyring, error)
- func (b *AESGCMBarrier) List(ctx context.Context, prefix string) ([]string, error)
- func (b *AESGCMBarrier) Put(ctx context.Context, entry *Entry) error
- func (b *AESGCMBarrier) Rekey(ctx context.Context, key []byte) error
- func (b *AESGCMBarrier) ReloadKeyring(ctx context.Context) error
- func (b *AESGCMBarrier) ReloadMasterKey(ctx context.Context) error
- func (b *AESGCMBarrier) Rotate(ctx context.Context) (uint32, error)
- func (b *AESGCMBarrier) Seal() error
- func (b *AESGCMBarrier) Sealed() (bool, error)
- func (b *AESGCMBarrier) SetMasterKey(key []byte) error
- func (b *AESGCMBarrier) Unseal(ctx context.Context, key []byte) error
- func (b *AESGCMBarrier) VerifyMaster(key []byte) error
- type APIMountConfig
- type AuditBroker
- func (a *AuditBroker) Deregister(name string)
- func (a *AuditBroker) GetHash(name string, input string) (string, error)
- func (a *AuditBroker) Invalidate(ctx context.Context, key string)
- func (a *AuditBroker) IsRegistered(name string) bool
- func (a *AuditBroker) LogRequest(ctx context.Context, auth *logical.Auth, req *logical.Request, ...) (ret error)
- func (a *AuditBroker) LogResponse(ctx context.Context, auth *logical.Auth, req *logical.Request, ...) (ret error)
- func (a *AuditBroker) Register(name string, b audit.Backend, v *BarrierView)
- type AuditedHeadersConfig
- type AuthResults
- type BarrierEncryptor
- type BarrierEncryptorAccess
- type BarrierStorage
- type BarrierView
- func (v *BarrierView) Delete(ctx context.Context, key string) error
- func (v *BarrierView) Get(ctx context.Context, key string) (*logical.StorageEntry, error)
- func (v *BarrierView) List(ctx context.Context, prefix string) ([]string, error)
- func (v *BarrierView) Put(ctx context.Context, entry *logical.StorageEntry) error
- func (v *BarrierView) SubView(prefix string) *BarrierView
- type CORSConfig
- type Cluster
- type Core
- func NewCore(conf *CoreConfig) (*Core, error)
- func TestCore(t testing.T) *Core
- func TestCoreNewSeal(t testing.T) *Core
- func TestCoreRaw(t testing.T) *Core
- func TestCoreUnsealed(t testing.T) (*Core, [][]byte, string)
- func TestCoreUnsealedBackend(t testing.T, backend physical.Backend) (*Core, [][]byte, string)
- func TestCoreUnsealedRaw(t testing.T) (*Core, [][]byte, string)
- func TestCoreUnsealedWithConfigSealOpts(t testing.T, barrierConf, recoveryConf *SealConfig, sealOpts *TestSealOpts) (*Core, [][]byte, [][]byte, string)
- func TestCoreWithSeal(t testing.T, testSeal Seal, enableRaw bool) *Core
- func (c *Core) ActiveNodeReplicationState() consts.ReplicationState
- func (c *Core) AuditedHeadersConfig() *AuditedHeadersConfig
- func (c *Core) BarrierEncryptorAccess() *BarrierEncryptorAccess
- func (c *Core) BarrierKeyLength() (min, max int)
- func (c *Core) BarrierRekeyInit(config *SealConfig) error
- func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, error)
- func (c *Core) CORSConfig() *CORSConfig
- func (c *Core) Capabilities(ctx context.Context, token, path string) ([]string, error)
- func (c *Core) Cluster(ctx context.Context) (*Cluster, error)
- func (c *Core) ClusterTLSConfig(ctx context.Context, repClusters *ReplicatedClusters) (*tls.Config, error)
- func (c *Core) ForwardRequest(req *http.Request) (int, http.Header, []byte, error)
- func (c *Core) GenerateRootCancel() error
- func (c *Core) GenerateRootConfiguration() (*GenerateRootConfig, error)
- func (c *Core) GenerateRootInit(otp, pgpKey string, strategy GenerateRootStrategy) error
- func (c *Core) GenerateRootProgress() (int, error)
- func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string, strategy GenerateRootStrategy) (*GenerateRootResult, error)
- func (c *Core) GetContext() (context.Context, context.CancelFunc)
- func (c *Core) HandleRequest(req *logical.Request) (resp *logical.Response, err error)
- func (c *Core) IdentityStore() *IdentityStore
- func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitResult, error)
- func (c *Core) Initialized(ctx context.Context) (bool, error)
- func (c *Core) IsDRSecondary() bool
- func (c *Core) Leader() (isLeader bool, leaderAddr, clusterAddr string, err error)
- func (c *Core) Logger() log.Logger
- func (c *Core) LookupToken(token string) (*TokenEntry, error)
- func (c *Core) PhysicalAccess() *physical.PhysicalAccess
- func (c *Core) RecoveryRekeyInit(config *SealConfig) error
- func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, error)
- func (c *Core) RekeyCancel(recovery bool) error
- func (c *Core) RekeyConfig(recovery bool) (*SealConfig, error)
- func (c *Core) RekeyDeleteBackup(ctx context.Context, recovery bool) error
- func (c *Core) RekeyInit(config *SealConfig, recovery bool) error
- func (c *Core) RekeyProgress(recovery bool) (int, error)
- func (c *Core) RekeyRetrieveBackup(ctx context.Context, recovery bool) (*RekeyBackup, error)
- func (c *Core) RekeyThreshold(ctx context.Context, recovery bool) (int, error)
- func (c *Core) RekeyUpdate(ctx context.Context, key []byte, nonce string, recovery bool) (*RekeyResult, error)
- func (c *Core) ReplicationState() consts.ReplicationState
- func (c *Core) ResetUnsealProcess()
- func (c *Core) RouterAccess() *RouterAccess
- func (c *Core) Seal(token string) error
- func (c *Core) SealAccess() *SealAccess
- func (c *Core) SealWithRequest(req *logical.Request) error
- func (c *Core) Sealed() (bool, error)
- func (c *Core) SecretProgress() (int, string)
- func (c *Core) SetClusterHandler(handler http.Handler)
- func (c *Core) SetClusterListenerAddrs(addrs []*net.TCPAddr)
- func (c *Core) Shutdown() error
- func (c *Core) Standby() (bool, error)
- func (c *Core) StepDown(req *logical.Request) (retErr error)
- func (c *Core) Unseal(key []byte) (bool, error)
- func (c *Core) UnsealWithRecoveryKeys(ctx context.Context, key []byte) (bool, error)
- func (c *Core) UnsealWithStoredKeys(ctx context.Context) error
- func (c *Core) ValidateWrappingToken(req *logical.Request) (bool, error)
- type CoreConfig
- type CubbyholeBackend
- type EchoReply
- type EchoRequest
- type EncodedKeyring
- type Entry
- type ErrInvalidKey
- type ExpirationManager
- func (m *ExpirationManager) FetchLeaseTimes(leaseID string) (*leaseEntry, error)
- func (m *ExpirationManager) FetchLeaseTimesByToken(source, token string) (*leaseEntry, error)
- func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Response) (id string, retErr error)
- func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) error
- func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*logical.Response, error)
- func (m *ExpirationManager) RenewToken(req *logical.Request, source string, token string, increment time.Duration) (*logical.Response, error)
- func (m *ExpirationManager) Restore(errorFunc func()) (retErr error)
- func (m *ExpirationManager) RestoreSaltedTokenCheck(source string, saltedID string) (bool, error)
- func (m *ExpirationManager) Revoke(leaseID string) error
- func (m *ExpirationManager) RevokeByToken(te *TokenEntry) error
- func (m *ExpirationManager) RevokeForce(prefix string) error
- func (m *ExpirationManager) RevokePrefix(prefix string) error
- func (m *ExpirationManager) Stop() error
- func (m *ExpirationManager) Tidy() error
- type GenerateRootConfig
- type GenerateRootResult
- type GenerateRootStrategy
- type IdentityStore
- func (i *IdentityStore) CreateOrFetchEntity(alias *logical.Alias) (*identity.Entity, error)
- func (i *IdentityStore) Invalidate(ctx context.Context, key string)
- func (i *IdentityStore) LockForEntityID(entityID string) *locksutil.LockEntry
- func (i *IdentityStore) MemDBAliasByCanonicalID(canonicalID string, clone bool, groupAlias bool) (*identity.Alias, error)
- func (i *IdentityStore) MemDBAliasByCanonicalIDInTxn(txn *memdb.Txn, canonicalID string, clone bool, groupAlias bool) (*identity.Alias, error)
- func (i *IdentityStore) MemDBAliasByFactors(mountAccessor, aliasName string, clone bool, groupAlias bool) (*identity.Alias, error)
- func (i *IdentityStore) MemDBAliasByFactorsInTxn(txn *memdb.Txn, mountAccessor, aliasName string, clone bool, groupAlias bool) (*identity.Alias, error)
- func (i *IdentityStore) MemDBAliasByID(aliasID string, clone bool, groupAlias bool) (*identity.Alias, error)
- func (i *IdentityStore) MemDBAliasByIDInTxn(txn *memdb.Txn, aliasID string, clone bool, groupAlias bool) (*identity.Alias, error)
- func (i *IdentityStore) MemDBAliases(ws memdb.WatchSet, groupAlias bool) (memdb.ResultIterator, error)
- func (i *IdentityStore) MemDBAliasesByMetadata(filters map[string]string, clone bool, groupAlias bool) ([]*identity.Alias, error)
- func (i *IdentityStore) MemDBDeleteAliasByID(aliasID string, groupAlias bool) error
- func (i *IdentityStore) MemDBDeleteAliasByIDInTxn(txn *memdb.Txn, aliasID string, groupAlias bool) error
- func (i *IdentityStore) MemDBDeleteEntityByID(entityID string) error
- func (i *IdentityStore) MemDBDeleteEntityByIDInTxn(txn *memdb.Txn, entityID string) error
- func (i *IdentityStore) MemDBDeleteGroupByIDInTxn(txn *memdb.Txn, groupID string) error
- func (i *IdentityStore) MemDBDeleteGroupByNameInTxn(txn *memdb.Txn, groupName string) error
- func (i *IdentityStore) MemDBEntities(ws memdb.WatchSet) (memdb.ResultIterator, error)
- func (i *IdentityStore) MemDBEntitiesByBucketEntryKeyHash(hashValue string) ([]*identity.Entity, error)
- func (i *IdentityStore) MemDBEntitiesByBucketEntryKeyHashInTxn(txn *memdb.Txn, hashValue string) ([]*identity.Entity, error)
- func (i *IdentityStore) MemDBEntitiesByMetadata(filters map[string]string, clone bool) ([]*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByAliasID(aliasID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByAliasIDInTxn(txn *memdb.Txn, aliasID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByID(entityID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByIDInTxn(txn *memdb.Txn, entityID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByMergedEntityID(mergedEntityID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByMergedEntityIDInTxn(txn *memdb.Txn, mergedEntityID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByName(entityName string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByNameInTxn(txn *memdb.Txn, entityName string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBGroupByAliasID(aliasID string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupByAliasIDInTxn(txn *memdb.Txn, aliasID string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupByID(groupID string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupByIDInTxn(txn *memdb.Txn, groupID string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupByName(groupName string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupByNameInTxn(txn *memdb.Txn, groupName string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupIterator(ws memdb.WatchSet) (memdb.ResultIterator, error)
- func (i *IdentityStore) MemDBGroupsByBucketEntryKeyHash(hashValue string) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByBucketEntryKeyHashInTxn(txn *memdb.Txn, hashValue string) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByMemberEntityID(entityID string, clone bool, externalOnly bool) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByMemberEntityIDInTxn(txn *memdb.Txn, entityID string, clone bool, externalOnly bool) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByParentGroupID(memberGroupID string, clone bool) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByParentGroupIDInTxn(txn *memdb.Txn, memberGroupID string, clone bool) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByPolicy(policyName string, clone bool) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByPolicyInTxn(txn *memdb.Txn, policyName string, clone bool) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBUpsertAlias(alias *identity.Alias, groupAlias bool) error
- func (i *IdentityStore) MemDBUpsertAliasInTxn(txn *memdb.Txn, alias *identity.Alias, groupAlias bool) error
- func (i *IdentityStore) MemDBUpsertEntity(entity *identity.Entity) error
- func (i *IdentityStore) MemDBUpsertEntityInTxn(txn *memdb.Txn, entity *identity.Entity) error
- func (i *IdentityStore) MemDBUpsertGroup(group *identity.Group) error
- func (i *IdentityStore) MemDBUpsertGroupInTxn(txn *memdb.Txn, group *identity.Group) error
- func (i *IdentityStore) UpsertGroup(group *identity.Group, persist bool) error
- type InitParams
- type InitResult
- type Key
- type KeyInfo
- type KeyNotFoundError
- type Keyring
- func (k *Keyring) ActiveKey() *Key
- func (k *Keyring) ActiveTerm() uint32
- func (k *Keyring) AddKey(key *Key) (*Keyring, error)
- func (k *Keyring) Clone() *Keyring
- func (k *Keyring) MasterKey() []byte
- func (k *Keyring) RemoveKey(term uint32) (*Keyring, error)
- func (k *Keyring) Serialize() ([]byte, error)
- func (k *Keyring) SetMasterKey(val []byte) *Keyring
- func (k *Keyring) TermKey(term uint32) *Key
- func (k *Keyring) Zeroize(keysToo bool)
- type MountConfig
- type MountEntry
- type MountTable
- type NonFatalError
- type PassthroughBackend
- type PathRules
- type PluginCatalog
- func (c *PluginCatalog) Delete(ctx context.Context, name string) error
- func (c *PluginCatalog) Get(ctx context.Context, name string) (*pluginutil.PluginRunner, error)
- func (c *PluginCatalog) List(ctx context.Context) ([]string, error)
- func (c *PluginCatalog) Set(ctx context.Context, name, command string, args []string, sha256 []byte) error
- type Policy
- type PolicyCheckOpts
- type PolicyEntry
- type PolicyStore
- func (ps *PolicyStore) ACL(ctx context.Context, names ...string) (*ACL, error)
- func (ps *PolicyStore) DeletePolicy(ctx context.Context, name string, policyType PolicyType) error
- func (ps *PolicyStore) GetPolicy(ctx context.Context, name string, policyType PolicyType) (*Policy, error)
- func (ps *PolicyStore) ListPolicies(ctx context.Context, policyType PolicyType) ([]string, error)
- func (ps *PolicyStore) SetPolicy(ctx context.Context, p *Policy) error
- type PolicyType
- type RekeyBackup
- type RekeyResult
- type ReplicatedClusters
- type RequestForwardingClient
- type RequestForwardingServer
- type RollbackManager
- type Router
- func (r *Router) LoginPath(path string) bool
- func (r *Router) MatchingBackend(path string) logical.Backend
- func (r *Router) MatchingMount(path string) string
- func (r *Router) MatchingMountByAccessor(mountAccessor string) *MountEntry
- func (r *Router) MatchingMountByUUID(mountID string) *MountEntry
- func (r *Router) MatchingMountEntry(path string) *MountEntry
- func (r *Router) MatchingStorageByAPIPath(path string) logical.Storage
- func (r *Router) MatchingStorageByStoragePath(path string) logical.Storage
- func (r *Router) MatchingStoragePrefixByAPIPath(path string) (string, string, bool)
- func (r *Router) MatchingStoragePrefixByStoragePath(path string) (string, string, bool)
- func (r *Router) MatchingSystemView(path string) logical.SystemView
- func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, ...) error
- func (r *Router) MountConflict(path string) string
- func (r *Router) Remount(src, dst string) error
- func (r *Router) RootPath(path string) bool
- func (r *Router) Route(ctx context.Context, req *logical.Request) (*logical.Response, error)
- func (r *Router) RouteExistenceCheck(ctx context.Context, req *logical.Request) (bool, bool, error)
- func (r *Router) Taint(path string) error
- func (r *Router) Unmount(ctx context.Context, prefix string) error
- func (r *Router) Untaint(path string) error
- type RouterAccess
- type Seal
- type SealAccess
- func (s *SealAccess) BarrierConfig(ctx context.Context) (*SealConfig, error)
- func (s *SealAccess) ClearCaches(ctx context.Context)
- func (s *SealAccess) RecoveryConfig(ctx context.Context) (*SealConfig, error)
- func (s *SealAccess) RecoveryKeySupported() bool
- func (s *SealAccess) StoredKeysSupported() bool
- func (s *SealAccess) VerifyRecoveryKey(ctx context.Context, key []byte) error
- type SealConfig
- type SecurityBarrier
- type SystemBackend
- type TestCluster
- type TestClusterCore
- type TestClusterOptions
- type TestListener
- type TestSealOpts
- type TokenEntry
- type TokenStore
- func (ts *TokenStore) Invalidate(ctx context.Context, key string)
- func (ts *TokenStore) Lookup(ctx context.Context, id string) (*TokenEntry, error)
- func (ts *TokenStore) Revoke(ctx context.Context, id string) error
- func (ts *TokenStore) RevokeTree(ctx context.Context, id string) error
- func (ts *TokenStore) Salt() (*salt.Salt, error)
- func (ts *TokenStore) SaltID(id string) (string, error)
- func (ts *TokenStore) SetExpirationManager(exp *ExpirationManager)
- func (ts *TokenStore) UseToken(ctx context.Context, te *TokenEntry) (*TokenEntry, error)
- func (ts *TokenStore) UseTokenByID(ctx context.Context, id string) (*TokenEntry, error)
Constants ¶
const ( AESGCMVersion1 = 0x1 AESGCMVersion2 = 0x2 )
Versions of the AESGCM storage methodology
const ( CORSDisabled uint32 = iota CORSEnabled )
const ( DenyCapability = "deny" CreateCapability = "create" ReadCapability = "read" UpdateCapability = "update" DeleteCapability = "delete" ListCapability = "list" SudoCapability = "sudo" RootCapability = "root" // Backwards compatibility OldDenyPathPolicy = "deny" OldReadPathPolicy = "read" OldWritePathPolicy = "write" OldSudoPathPolicy = "sudo" )
const ( DenyCapabilityInt uint32 = 1 << iota CreateCapabilityInt ReadCapabilityInt UpdateCapabilityInt DeleteCapabilityInt ListCapabilityInt SudoCapabilityInt )
const ( SealTypeShamir = "shamir" SealTypePKCS11 = "pkcs11" SealTypeAWSKMS = "awskms" SealTypeTest = "test-auto" RecoveryTypeUnsupported = "unsupported" RecoveryTypeShamir = "shamir" )
const (
// Internal so as not to log a trace message
IntNoForwardingHeaderName = "X-Vault-Internal-No-Request-Forwarding"
)
Variables ¶
var ( // ErrBarrierSealed is returned if an operation is performed on // a sealed barrier. No operation is expected to succeed before unsealing ErrBarrierSealed = errors.New("Vault is sealed") // ErrBarrierAlreadyInit is returned if the barrier is already // initialized. This prevents a re-initialization. ErrBarrierAlreadyInit = errors.New("Vault is already initialized") // ErrBarrierNotInit is returned if a non-initialized barrier // is attempted to be unsealed. ErrBarrierNotInit = errors.New("Vault is not initialized") // ErrBarrierInvalidKey is returned if the Unseal key is invalid ErrBarrierInvalidKey = errors.New("Unseal failed, invalid key") )
var ( // ErrAlreadyInit is returned if the core is already // initialized. This prevents a re-initialization. ErrAlreadyInit = errors.New("Vault is already initialized") // ErrNotInit is returned if a non-initialized barrier // is attempted to be unsealed. ErrNotInit = errors.New("Vault is not initialized") // ErrInternalError is returned when we don't want to leak // any information about an internal error ErrInternalError = errors.New("internal error") // ErrHANotEnabled is returned if the operation only makes sense // in an HA setting ErrHANotEnabled = errors.New("Vault is not configured for highly-available mode") LastRemoteWAL = lastRemoteWALImpl )
var ( ErrDirectoryNotConfigured = errors.New("could not set plugin, plugin directory is not configured") ErrPluginNotFound = errors.New("plugin not found in the catalog") )
var ( TestCoreUnsealedWithConfigs = testCoreUnsealedWithConfigs TestSealDefConfigs = testSealDefConfigs )
var DefaultNumCores = 3
var (
ErrCannotForward = errors.New("cannot forward request; no connection or address not known")
)
var (
ErrRelativePath = errors.New("relative paths not supported")
)
var ( // Making this a package var allows tests to modify HeartbeatInterval = 5 * time.Second )
var StdAllowedHeaders = []string{
"Content-Type",
"X-Requested-With",
"X-Vault-AWS-IAM-Server-ID",
"X-Vault-MFA",
"X-Vault-No-Request-Forwarding",
"X-Vault-Token",
"X-Vault-Wrap-Format",
"X-Vault-Wrap-TTL",
"X-Vault-Policy-Override",
}
Functions ¶
func AddTestCredentialBackend ¶ added in v0.9.0
This adds a credential backend for the test core. This needs to be invoked before the test core is created.
func AddTestLogicalBackend ¶ added in v0.3.0
This adds a logical backend for the test core. This needs to be invoked before the test core is created.
func CubbyholeBackendFactory ¶ added in v0.3.0
func CubbyholeBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
CubbyholeBackendFactory constructs a new cubbyhole backend
func GenerateRandBytes ¶ added in v0.5.0
func LeaseSwitchedPassthroughBackend ¶ added in v0.3.0
func LeaseSwitchedPassthroughBackend(ctx context.Context, conf *logical.BackendConfig, leases bool) (logical.Backend, error)
LeaseSwitchedPassthroughBackend returns a PassthroughBackend with leases switched on or off
func LeasedPassthroughBackendFactory ¶ added in v0.3.0
func LeasedPassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
LeasedPassthroughBackendFactory returns a PassthroughBackend with leases switched on
func NewSealUnwrapper ¶ added in v0.9.4
NewSealUnwrapper creates a new seal unwrapper
func PassthroughBackendFactory ¶
func PassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
PassthroughBackendFactory returns a PassthroughBackend with leases switched off
func RegisterRequestForwardingServer ¶ added in v0.6.1
func RegisterRequestForwardingServer(s *grpc.Server, srv RequestForwardingServer)
func StartSSHHostTestServer ¶ added in v0.3.0
StartSSHHostTestServer starts the test server which responds to SSH authentication. Used to test the SSH secret backend.
func TestAddTestPlugin ¶ added in v0.7.1
TestAddTestPlugin registers the testFunc as part of the plugin command to the plugin catalog.
func TestAddTestPluginTempDir ¶ added in v0.9.1
TestAddTestPluginTempDir registers the testFunc as part of the plugin command to the plugin catalog. It uses tmpDir as the plugin directory.
func TestCoreInit ¶
TestCoreInit initializes the core with a single key, and returns the key that must be used to unseal the core and a root token.
func TestCoreInitClusterWrapperSetup ¶ added in v0.6.1
func TestCoreUnsealWithRecoveryKeys ¶ added in v0.9.0
func TestCoreWithBackendTokenStore ¶ added in v0.7.0
func TestCoreWithBackendTokenStore(t testing.T, backend physical.Backend) (*Core, *TokenStore, [][]byte, string)
TestCoreWithBackendTokenStore returns a core that has a token store mounted and used the provided physical backend, so that logical token functions can be used
func TestCoreWithTokenStore ¶ added in v0.5.0
func TestCoreWithTokenStore(t testing.T) (*Core, *TokenStore, [][]byte, string)
TestCoreWithTokenStore returns an in-memory core that has a token store mounted, so that logical token functions can be used
func TestDynamicSystemView ¶ added in v0.7.1
func TestDynamicSystemView(c *Core) *dynamicSystemView
func TestKeyCopy ¶
TestKeyCopy is a silly little function to just copy the key so that it can be used with Unseal easily.
func TestWaitActive ¶ added in v0.6.1
func TestWaitActive(t testing.T, core *Core)
Types ¶
type ACL ¶
type ACL struct {
// contains filtered or unexported fields
}
ACL is used to wrap a set of policies to provide an efficient interface for access control.
func (*ACL) AllowOperation ¶
func (a *ACL) AllowOperation(req *logical.Request) (ret *ACLResults)
AllowOperation is used to check if the given operation is permitted.
func (*ACL) Capabilities ¶ added in v0.5.2
type ACLPermissions ¶ added in v0.9.0
type ACLPermissions struct { CapabilitiesBitmap uint32 MinWrappingTTL time.Duration MaxWrappingTTL time.Duration AllowedParameters map[string][]interface{} DeniedParameters map[string][]interface{} RequiredParameters []string }
func (*ACLPermissions) Clone ¶ added in v0.9.0
func (p *ACLPermissions) Clone() (*ACLPermissions, error)
type ACLResults ¶ added in v0.9.0
type AESGCMBarrier ¶
type AESGCMBarrier struct {
// contains filtered or unexported fields
}
AESGCMBarrier is a SecurityBarrier implementation that uses the AES cipher core and the Galois Counter Mode block mode. It defaults to the golang NONCE default value of 12 and a key size of 256 bit. AES-GCM is high performance, and provides both confidentiality and integrity.
func NewAESGCMBarrier ¶
func NewAESGCMBarrier(physical physical.Backend) (*AESGCMBarrier, error)
NewAESGCMBarrier is used to construct a new barrier that uses the provided physical backend for storage.
func (*AESGCMBarrier) ActiveKeyInfo ¶ added in v0.2.0
func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error)
ActiveKeyInfo is used to inform details about the active key
func (*AESGCMBarrier) CheckUpgrade ¶ added in v0.2.0
CheckUpgrade looks for an upgrade to the current term and installs it
func (*AESGCMBarrier) CreateUpgrade ¶ added in v0.2.0
func (b *AESGCMBarrier) CreateUpgrade(ctx context.Context, term uint32) error
CreateUpgrade creates an upgrade path key to the given term from the previous term
func (*AESGCMBarrier) Decrypt ¶ added in v0.7.0
Decrypt is used to decrypt in-memory for the BarrierEncryptor interface
func (*AESGCMBarrier) Delete ¶
func (b *AESGCMBarrier) Delete(ctx context.Context, key string) error
Delete is used to permanently delete an entry
func (*AESGCMBarrier) DestroyUpgrade ¶ added in v0.2.0
func (b *AESGCMBarrier) DestroyUpgrade(ctx context.Context, term uint32) error
DestroyUpgrade destroys the upgrade path key to the given term
func (*AESGCMBarrier) Encrypt ¶ added in v0.7.0
Encrypt is used to encrypt in-memory for the BarrierEncryptor interface
func (*AESGCMBarrier) GenerateKey ¶
func (b *AESGCMBarrier) GenerateKey() ([]byte, error)
GenerateKey is used to generate a new key
func (*AESGCMBarrier) Initialize ¶
func (b *AESGCMBarrier) Initialize(ctx context.Context, key []byte) error
Initialize works only if the barrier has not been initialized and makes use of the given master key.
func (*AESGCMBarrier) Initialized ¶
func (b *AESGCMBarrier) Initialized(ctx context.Context) (bool, error)
Initialized checks if the barrier has been initialized and has a master key set.
func (*AESGCMBarrier) KeyLength ¶
func (b *AESGCMBarrier) KeyLength() (int, int)
KeyLength is used to sanity check a key
func (*AESGCMBarrier) Keyring ¶ added in v0.7.0
func (b *AESGCMBarrier) Keyring() (*Keyring, error)
func (*AESGCMBarrier) List ¶
List is used ot list all the keys under a given prefix, up to the next prefix.
func (*AESGCMBarrier) Put ¶
func (b *AESGCMBarrier) Put(ctx context.Context, entry *Entry) error
Put is used to insert or update an entry
func (*AESGCMBarrier) Rekey ¶ added in v0.2.0
func (b *AESGCMBarrier) Rekey(ctx context.Context, key []byte) error
Rekey is used to change the master key used to protect the keyring
func (*AESGCMBarrier) ReloadKeyring ¶ added in v0.2.0
func (b *AESGCMBarrier) ReloadKeyring(ctx context.Context) error
ReloadKeyring is used to re-read the underlying keyring. This is used for HA deployments to ensure the latest keyring is present in the leader.
func (*AESGCMBarrier) ReloadMasterKey ¶ added in v0.2.0
func (b *AESGCMBarrier) ReloadMasterKey(ctx context.Context) error
ReloadMasterKey is used to re-read the underlying masterkey. This is used for HA deployments to ensure the latest master key is available for keyring reloading.
func (*AESGCMBarrier) Rotate ¶ added in v0.2.0
func (b *AESGCMBarrier) Rotate(ctx context.Context) (uint32, error)
Rotate is used to create a new encryption key. All future writes should use the new key, while old values should still be decryptable.
func (*AESGCMBarrier) Seal ¶
func (b *AESGCMBarrier) Seal() error
Seal is used to re-seal the barrier. This requires the barrier to be unsealed again to perform any further operations.
func (*AESGCMBarrier) Sealed ¶
func (b *AESGCMBarrier) Sealed() (bool, error)
Sealed checks if the barrier has been unlocked yet. The Barrier is not expected to be able to perform any CRUD until it is unsealed.
func (*AESGCMBarrier) SetMasterKey ¶ added in v0.7.0
func (b *AESGCMBarrier) SetMasterKey(key []byte) error
SetMasterKey updates the keyring's in-memory master key but does not persist anything to storage
func (*AESGCMBarrier) Unseal ¶
func (b *AESGCMBarrier) Unseal(ctx context.Context, key []byte) error
Unseal is used to provide the master key which permits the barrier to be unsealed. If the key is not correct, the barrier remains sealed.
func (*AESGCMBarrier) VerifyMaster ¶ added in v0.2.0
func (b *AESGCMBarrier) VerifyMaster(key []byte) error
VerifyMaster is used to check if the given key matches the master key
type APIMountConfig ¶ added in v0.8.0
type APIMountConfig struct { DefaultLeaseTTL string `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` MaxLeaseTTL string `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"` ForceNoCache bool `json:"force_no_cache" structs:"force_no_cache" mapstructure:"force_no_cache"` PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"` }
APIMountConfig is an embedded struct of api.MountConfigInput
type AuditBroker ¶
AuditBroker is used to provide a single ingest interface to auditable events given that multiple backends may be configured.
func NewAuditBroker ¶
func NewAuditBroker(log log.Logger) *AuditBroker
NewAuditBroker creates a new audit broker
func (*AuditBroker) Deregister ¶
func (a *AuditBroker) Deregister(name string)
Deregister is used to remove an audit backend from the broker
func (*AuditBroker) GetHash ¶ added in v0.4.0
func (a *AuditBroker) GetHash(name string, input string) (string, error)
GetHash returns a hash using the salt of the given backend
func (*AuditBroker) Invalidate ¶ added in v0.7.3
func (a *AuditBroker) Invalidate(ctx context.Context, key string)
func (*AuditBroker) IsRegistered ¶
func (a *AuditBroker) IsRegistered(name string) bool
IsRegistered is used to check if a given audit backend is registered
func (*AuditBroker) LogRequest ¶
func (a *AuditBroker) LogRequest(ctx context.Context, auth *logical.Auth, req *logical.Request, headersConfig *AuditedHeadersConfig, outerErr error) (ret error)
LogRequest is used to ensure all the audit backends have an opportunity to log the given request and that *at least one* succeeds.
func (*AuditBroker) LogResponse ¶
func (a *AuditBroker) LogResponse(ctx context.Context, auth *logical.Auth, req *logical.Request, resp *logical.Response, headersConfig *AuditedHeadersConfig, err error) (ret error)
LogResponse is used to ensure all the audit backends have an opportunity to log the given response and that *at least one* succeeds.
func (*AuditBroker) Register ¶
func (a *AuditBroker) Register(name string, b audit.Backend, v *BarrierView)
Register is used to add new audit backend to the broker
type AuditedHeadersConfig ¶ added in v0.6.5
type AuditedHeadersConfig struct { Headers map[string]*auditedHeaderSettings sync.RWMutex // contains filtered or unexported fields }
AuditedHeadersConfig is used by the Audit Broker to write only approved headers to the audit logs. It uses a BarrierView to persist the settings.
func (*AuditedHeadersConfig) ApplyConfig ¶ added in v0.6.5
func (a *AuditedHeadersConfig) ApplyConfig(headers map[string][]string, hashFunc func(string) (string, error)) (result map[string][]string, retErr error)
ApplyConfig returns a map of approved headers and their values, either hmac'ed or plaintext
type AuthResults ¶ added in v0.9.0
type AuthResults struct { ACLResults *ACLResults Allowed bool RootPrivs bool Error *multierror.Error }
type BarrierEncryptor ¶ added in v0.7.0
type BarrierEncryptor interface { Encrypt(ctx context.Context, key string, plaintext []byte) ([]byte, error) Decrypt(ctx context.Context, key string, ciphertext []byte) ([]byte, error) }
BarrierEncryptor is the in memory only interface that does not actually use the underlying barrier. It is used for lower level modules like the Write-Ahead-Log and Merkle index to allow them to use the barrier.
type BarrierEncryptorAccess ¶ added in v0.9.0
type BarrierEncryptorAccess struct {
// contains filtered or unexported fields
}
BarrierEncryptorAccess is a wrapper around BarrierEncryptor that allows Core to expose its barrier encrypt/decrypt operations through BarrierEncryptorAccess() while restricting the ability to modify Core.barrier itself.
func NewBarrierEncryptorAccess ¶ added in v0.9.0
func NewBarrierEncryptorAccess(barrierEncryptor BarrierEncryptor) *BarrierEncryptorAccess
type BarrierStorage ¶
type BarrierStorage interface { // Put is used to insert or update an entry Put(ctx context.Context, entry *Entry) error // Get is used to fetch an entry Get(ctx context.Context, key string) (*Entry, error) // Delete is used to permanently delete an entry Delete(ctx context.Context, key string) error // List is used ot list all the keys under a given // prefix, up to the next prefix. List(ctx context.Context, prefix string) ([]string, error) }
BarrierStorage is the storage only interface required for a Barrier.
type BarrierView ¶
type BarrierView struct {
// contains filtered or unexported fields
}
BarrierView wraps a SecurityBarrier and ensures all access is automatically prefixed. This is used to prevent anyone with access to the view to access any data in the durable storage outside of their prefix. Conceptually this is like a "chroot" into the barrier.
BarrierView implements logical.Storage so it can be passed in as the durable storage mechanism for logical views.
func NewBarrierView ¶
func NewBarrierView(barrier BarrierStorage, prefix string) *BarrierView
NewBarrierView takes an underlying security barrier and returns a view of it that can only operate with the given prefix.
func (*BarrierView) Delete ¶
func (v *BarrierView) Delete(ctx context.Context, key string) error
logical.Storage impl.
func (*BarrierView) Get ¶
func (v *BarrierView) Get(ctx context.Context, key string) (*logical.StorageEntry, error)
logical.Storage impl.
func (*BarrierView) Put ¶
func (v *BarrierView) Put(ctx context.Context, entry *logical.StorageEntry) error
logical.Storage impl.
func (*BarrierView) SubView ¶
func (v *BarrierView) SubView(prefix string) *BarrierView
SubView constructs a nested sub-view using the given prefix
type CORSConfig ¶ added in v0.8.0
type CORSConfig struct { sync.RWMutex `json:"-"` Enabled uint32 `json:"enabled"` AllowedOrigins []string `json:"allowed_origins,omitempty"` AllowedHeaders []string `json:"allowed_headers,omitempty"` // contains filtered or unexported fields }
CORSConfig stores the state of the CORS configuration.
func (*CORSConfig) Disable ¶ added in v0.8.0
func (c *CORSConfig) Disable(ctx context.Context) error
Disable sets CORS to disabled and clears the allowed origins & headers.
func (*CORSConfig) Enable ¶ added in v0.8.0
Enable takes either a '*' or a comma-seprated list of URLs that can make cross-origin requests to Vault.
func (*CORSConfig) IsEnabled ¶ added in v0.8.0
func (c *CORSConfig) IsEnabled() bool
IsEnabled returns the value of CORSConfig.isEnabled
func (*CORSConfig) IsValidOrigin ¶ added in v0.8.0
func (c *CORSConfig) IsValidOrigin(origin string) bool
IsValidOrigin determines if the origin of the request is allowed to make cross-origin requests based on the CORSConfig.
type Cluster ¶ added in v0.6.1
type Cluster struct { // Name of the cluster Name string `json:"name" structs:"name" mapstructure:"name"` // Identifier of the cluster ID string `json:"id" structs:"id" mapstructure:"id"` }
Structure representing the storage entry that holds cluster information
type Core ¶
type Core struct {
// contains filtered or unexported fields
}
Core is used as the central manager of Vault activity. It is the primary point of interface for API handlers and is responsible for managing the logical and physical backends, router, security barrier, and audit trails.
func NewCore ¶
func NewCore(conf *CoreConfig) (*Core, error)
NewCore is used to construct a new core
func TestCore ¶
func TestCore(t testing.T) *Core
TestCore returns a pure in-memory, uninitialized core for testing.
func TestCoreNewSeal ¶ added in v0.6.5
func TestCoreNewSeal(t testing.T) *Core
TestCoreNewSeal returns a pure in-memory, uninitialized core with the new seal configuration.
func TestCoreRaw ¶ added in v0.8.3
func TestCoreRaw(t testing.T) *Core
TestCoreRaw returns a pure in-memory, uninitialized core for testing. The raw storage endpoints are enabled with this core.
func TestCoreUnsealed ¶
TestCoreUnsealed returns a pure in-memory core that is already initialized and unsealed.
func TestCoreUnsealedBackend ¶ added in v0.7.0
func TestCoreUnsealedRaw ¶ added in v0.8.3
TestCoreUnsealedRaw returns a pure in-memory core that is already initialized, unsealed, and with raw endpoints enabled.
func TestCoreUnsealedWithConfigSealOpts ¶ added in v0.9.0
func TestCoreUnsealedWithConfigSealOpts(t testing.T, barrierConf, recoveryConf *SealConfig, sealOpts *TestSealOpts) (*Core, [][]byte, [][]byte, string)
func TestCoreWithSeal ¶ added in v0.6.0
TestCoreWithSeal returns a pure in-memory, uninitialized core with the specified seal for testing.
func (*Core) ActiveNodeReplicationState ¶ added in v0.9.2
func (c *Core) ActiveNodeReplicationState() consts.ReplicationState
func (*Core) AuditedHeadersConfig ¶ added in v0.6.5
func (c *Core) AuditedHeadersConfig() *AuditedHeadersConfig
func (*Core) BarrierEncryptorAccess ¶ added in v0.9.0
func (c *Core) BarrierEncryptorAccess() *BarrierEncryptorAccess
func (*Core) BarrierKeyLength ¶ added in v0.6.1
func (*Core) BarrierRekeyInit ¶ added in v0.6.0
func (c *Core) BarrierRekeyInit(config *SealConfig) error
BarrierRekeyInit is used to initialize the rekey settings for the barrier key
func (*Core) BarrierRekeyUpdate ¶ added in v0.6.0
func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, error)
BarrierRekeyUpdate is used to provide a new key part. Barrier rekey can be done with unseal keys, or recovery keys if that's supported and we are storing the barrier key.
N.B.: If recovery keys are used to rekey, the new barrier key shares are not returned.
func (*Core) CORSConfig ¶ added in v0.8.0
func (c *Core) CORSConfig() *CORSConfig
CORSConfig returns the current CORS configuration
func (*Core) Capabilities ¶ added in v0.5.2
Capabilities is used to fetch the capabilities of the given token on the given path
func (*Core) Cluster ¶ added in v0.6.1
Cluster fetches the details of the local cluster. This method errors out when Vault is sealed.
func (*Core) ClusterTLSConfig ¶ added in v0.6.1
func (c *Core) ClusterTLSConfig(ctx context.Context, repClusters *ReplicatedClusters) (*tls.Config, error)
ClusterTLSConfig generates a TLS configuration based on the local/replicated cluster key and cert.
func (*Core) ForwardRequest ¶ added in v0.6.1
ForwardRequest forwards a given request to the active node and returns the response.
func (*Core) GenerateRootCancel ¶ added in v0.5.0
GenerateRootCancel is used to cancel an in-progress root generation
func (*Core) GenerateRootConfiguration ¶ added in v0.5.0
func (c *Core) GenerateRootConfiguration() (*GenerateRootConfig, error)
GenerateRootConfiguration is used to read the root generation configuration It stubbornly refuses to return the OTP if one is there.
func (*Core) GenerateRootInit ¶ added in v0.5.0
func (c *Core) GenerateRootInit(otp, pgpKey string, strategy GenerateRootStrategy) error
GenerateRootInit is used to initialize the root generation settings
func (*Core) GenerateRootProgress ¶ added in v0.5.0
GenerateRootProgress is used to return the root generation progress (num shares)
func (*Core) GenerateRootUpdate ¶ added in v0.5.0
func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string, strategy GenerateRootStrategy) (*GenerateRootResult, error)
GenerateRootUpdate is used to provide a new key part
func (*Core) GetContext ¶ added in v0.9.2
func (c *Core) GetContext() (context.Context, context.CancelFunc)
func (*Core) HandleRequest ¶
HandleRequest is used to handle a new incoming request
func (*Core) IdentityStore ¶ added in v0.9.0
func (c *Core) IdentityStore() *IdentityStore
func (*Core) Initialize ¶
func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitResult, error)
Initialize is used to initialize the Vault with the given configurations.
func (*Core) Initialized ¶
Initialized checks if the Vault is already initialized
func (*Core) IsDRSecondary ¶ added in v0.9.2
IsDRSecondary returns if the current cluster state is a DR secondary.
func (*Core) LookupToken ¶ added in v0.6.3
func (c *Core) LookupToken(token string) (*TokenEntry, error)
LookupToken returns the properties of the token from the token store. This is particularly useful to fetch the accessor of the client token and get it populated in the logical request along with the client token. The accessor of the client token can get audit logged.
func (*Core) PhysicalAccess ¶ added in v0.9.0
func (c *Core) PhysicalAccess() *physical.PhysicalAccess
func (*Core) RecoveryRekeyInit ¶ added in v0.6.0
func (c *Core) RecoveryRekeyInit(config *SealConfig) error
RecoveryRekeyInit is used to initialize the rekey settings for the recovery key
func (*Core) RecoveryRekeyUpdate ¶ added in v0.6.0
func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, error)
RecoveryRekeyUpdate is used to provide a new key part
func (*Core) RekeyCancel ¶ added in v0.2.0
RekeyCancel is used to cancel an inprogress rekey
func (*Core) RekeyConfig ¶ added in v0.2.0
func (c *Core) RekeyConfig(recovery bool) (*SealConfig, error)
RekeyConfig is used to read the rekey configuration
func (*Core) RekeyDeleteBackup ¶ added in v0.5.0
RekeyDeleteBackup is used to delete any backed-up PGP-encrypted unseal keys
func (*Core) RekeyInit ¶ added in v0.2.0
func (c *Core) RekeyInit(config *SealConfig, recovery bool) error
RekeyInit will either initialize the rekey of barrier or recovery key. recovery determines whether this is a rekey on the barrier or recovery key.
func (*Core) RekeyProgress ¶ added in v0.2.0
RekeyProgress is used to return the rekey progress (num shares).
func (*Core) RekeyRetrieveBackup ¶ added in v0.5.0
RekeyRetrieveBackup is used to retrieve any backed-up PGP-encrypted unseal keys
func (*Core) RekeyThreshold ¶ added in v0.6.0
RekeyThreshold returns the secret threshold for the current seal config. This threshold can either be the barrier key threshold or the recovery key threshold, depending on whether rekey is being performed on the recovery key, or whether the seal supports recovery keys.
func (*Core) RekeyUpdate ¶ added in v0.2.0
func (c *Core) RekeyUpdate(ctx context.Context, key []byte, nonce string, recovery bool) (*RekeyResult, error)
RekeyUpdate is used to provide a new key part for the barrier or recovery key.
func (*Core) ReplicationState ¶ added in v0.7.0
func (c *Core) ReplicationState() consts.ReplicationState
func (*Core) ResetUnsealProcess ¶ added in v0.4.0
func (c *Core) ResetUnsealProcess()
ResetUnsealProcess removes the current unlock parts from memory, to reset the unsealing process
func (*Core) RouterAccess ¶ added in v0.9.0
func (c *Core) RouterAccess() *RouterAccess
func (*Core) Seal ¶
Seal takes in a token and creates a logical.Request, acquires the lock, and passes through to sealInternal
func (*Core) SealAccess ¶ added in v0.6.0
func (c *Core) SealAccess() *SealAccess
func (*Core) SealWithRequest ¶ added in v0.6.0
SealWithRequest takes in a logical.Request, acquires the lock, and passes through to sealInternal
func (*Core) SecretProgress ¶
SecretProgress returns the number of keys provided so far
func (*Core) SetClusterHandler ¶ added in v0.7.3
func (*Core) SetClusterListenerAddrs ¶ added in v0.6.1
func (*Core) Shutdown ¶ added in v0.2.0
Shutdown is invoked when the Vault instance is about to be terminated. It should not be accessible as part of an API call as it will cause an availability problem. It is only used to gracefully quit in the case of HA so that failover happens as quickly as possible.
func (*Core) Unseal ¶
Unseal is used to provide one of the key parts to unseal the Vault.
They key given as a parameter will automatically be zerod after this method is done with it. If you want to keep the key around, a copy should be made.
func (*Core) UnsealWithRecoveryKeys ¶ added in v0.9.0
UnsealWithRecoveryKeys is used to provide one of the recovery key shares to unseal the Vault.
func (*Core) UnsealWithStoredKeys ¶ added in v0.6.0
UnsealWithStoredKeys performs auto-unseal using stored keys.
type CoreConfig ¶
type CoreConfig struct { DevToken string `json:"dev_token" structs:"dev_token" mapstructure:"dev_token"` LogicalBackends map[string]logical.Factory `json:"logical_backends" structs:"logical_backends" mapstructure:"logical_backends"` CredentialBackends map[string]logical.Factory `json:"credential_backends" structs:"credential_backends" mapstructure:"credential_backends"` AuditBackends map[string]audit.Factory `json:"audit_backends" structs:"audit_backends" mapstructure:"audit_backends"` Physical physical.Backend `json:"physical" structs:"physical" mapstructure:"physical"` // May be nil, which disables HA operations HAPhysical physical.HABackend `json:"ha_physical" structs:"ha_physical" mapstructure:"ha_physical"` Seal Seal `json:"seal" structs:"seal" mapstructure:"seal"` Logger log.Logger `json:"logger" structs:"logger" mapstructure:"logger"` // Disables the LRU cache on the physical backend DisableCache bool `json:"disable_cache" structs:"disable_cache" mapstructure:"disable_cache"` // Disables mlock syscall DisableMlock bool `json:"disable_mlock" structs:"disable_mlock" mapstructure:"disable_mlock"` // Custom cache size for the LRU cache on the physical backend, or zero for default CacheSize int `json:"cache_size" structs:"cache_size" mapstructure:"cache_size"` // Set as the leader address for HA RedirectAddr string `json:"redirect_addr" structs:"redirect_addr" mapstructure:"redirect_addr"` // Set as the cluster address for HA ClusterAddr string `json:"cluster_addr" structs:"cluster_addr" mapstructure:"cluster_addr"` DefaultLeaseTTL time.Duration `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` MaxLeaseTTL time.Duration `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"` ClusterName string `json:"cluster_name" structs:"cluster_name" mapstructure:"cluster_name"` ClusterCipherSuites string `json:"cluster_cipher_suites" structs:"cluster_cipher_suites" mapstructure:"cluster_cipher_suites"` EnableUI bool `json:"ui" structs:"ui" mapstructure:"ui"` // Enable the raw endpoint EnableRaw bool `json:"enable_raw" structs:"enable_raw" mapstructure:"enable_raw"` PluginDirectory string `json:"plugin_directory" structs:"plugin_directory" mapstructure:"plugin_directory"` ReloadFuncs *map[string][]reload.ReloadFunc ReloadFuncsLock *sync.RWMutex }
CoreConfig is used to parameterize a core
type CubbyholeBackend ¶ added in v0.3.0
CubbyholeBackend is used for storing secrets directly into the physical backend. The secrets are encrypted in the durable storage. This differs from kv in that every token has its own private storage view. The view is removed when the token expires.
type EchoReply ¶ added in v0.7.3
type EchoReply struct { Message string `protobuf:"bytes,1,opt,name=message" json:"message,omitempty"` ClusterAddrs []string `protobuf:"bytes,2,rep,name=cluster_addrs,json=clusterAddrs" json:"cluster_addrs,omitempty"` ReplicationState uint32 `protobuf:"varint,3,opt,name=replication_state,json=replicationState" json:"replication_state,omitempty"` }
func (*EchoReply) Descriptor ¶ added in v0.7.3
func (*EchoReply) GetClusterAddrs ¶ added in v0.7.3
func (*EchoReply) GetMessage ¶ added in v0.7.3
func (*EchoReply) GetReplicationState ¶ added in v0.9.2
func (*EchoReply) ProtoMessage ¶ added in v0.7.3
func (*EchoReply) ProtoMessage()
type EchoRequest ¶ added in v0.7.3
type EchoRequest struct { Message string `protobuf:"bytes,1,opt,name=message" json:"message,omitempty"` // ClusterAddr is used to send up a standby node's address to the active // node upon heartbeat ClusterAddr string `protobuf:"bytes,2,opt,name=cluster_addr,json=clusterAddr" json:"cluster_addr,omitempty"` // ClusterAddrs is used to send up a list of cluster addresses to a dr // primary from a dr secondary ClusterAddrs []string `protobuf:"bytes,3,rep,name=cluster_addrs,json=clusterAddrs" json:"cluster_addrs,omitempty"` }
func (*EchoRequest) Descriptor ¶ added in v0.7.3
func (*EchoRequest) Descriptor() ([]byte, []int)
func (*EchoRequest) GetClusterAddr ¶ added in v0.7.3
func (m *EchoRequest) GetClusterAddr() string
func (*EchoRequest) GetClusterAddrs ¶ added in v0.9.0
func (m *EchoRequest) GetClusterAddrs() []string
func (*EchoRequest) GetMessage ¶ added in v0.7.3
func (m *EchoRequest) GetMessage() string
func (*EchoRequest) ProtoMessage ¶ added in v0.7.3
func (*EchoRequest) ProtoMessage()
func (*EchoRequest) Reset ¶ added in v0.7.3
func (m *EchoRequest) Reset()
func (*EchoRequest) String ¶ added in v0.7.3
func (m *EchoRequest) String() string
type EncodedKeyring ¶ added in v0.2.0
EncodedKeyring is used for serialization of the keyring
type Entry ¶
Entry is used to represent data stored by the security barrier
func (*Entry) Logical ¶
func (e *Entry) Logical() *logical.StorageEntry
Logical turns the Entry into a logical storage entry.
type ErrInvalidKey ¶
type ErrInvalidKey struct {
Reason string
}
ErrInvalidKey is returned if there is a user-based error with a provided unseal key. This will be shown to the user, so should not contain information that is sensitive.
func (*ErrInvalidKey) Error ¶
func (e *ErrInvalidKey) Error() string
type ExpirationManager ¶
type ExpirationManager struct {
// contains filtered or unexported fields
}
ExpirationManager is used by the Core to manage leases. Secrets can provide a lease, meaning that they can be renewed or revoked. If a secret is not renewed in timely manner, it may be expired, and the ExpirationManager will handle doing automatic revocation.
func NewExpirationManager ¶
func NewExpirationManager(c *Core, view *BarrierView) *ExpirationManager
NewExpirationManager creates a new ExpirationManager that is backed using a given view, and uses the provided router for revocation.
func (*ExpirationManager) FetchLeaseTimes ¶ added in v0.5.0
func (m *ExpirationManager) FetchLeaseTimes(leaseID string) (*leaseEntry, error)
FetchLeaseTimes is used to fetch the issue time, expiration time, and last renewed time of a lease entry. It returns a leaseEntry itself, but with only those values copied over.
func (*ExpirationManager) FetchLeaseTimesByToken ¶ added in v0.5.0
func (m *ExpirationManager) FetchLeaseTimesByToken(source, token string) (*leaseEntry, error)
FetchLeaseTimesByToken is a helper function to use token values to compute the leaseID, rather than pushing that logic back into the token store.
func (*ExpirationManager) Register ¶
func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Response) (id string, retErr error)
Register is used to take a request and response with an associated lease. The secret gets assigned a LeaseID and the management of of lease is assumed by the expiration manager.
func (*ExpirationManager) RegisterAuth ¶
func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) error
RegisterAuth is used to take an Auth response with an associated lease. The token does not get a LeaseID, but the lease management is handled by the expiration manager.
func (*ExpirationManager) Renew ¶
func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*logical.Response, error)
Renew is used to renew a secret using the given leaseID and a renew interval. The increment may be ignored.
func (*ExpirationManager) RenewToken ¶
func (m *ExpirationManager) RenewToken(req *logical.Request, source string, token string, increment time.Duration) (*logical.Response, error)
RenewToken is used to renew a token which does not need to invoke a logical backend.
func (*ExpirationManager) Restore ¶
func (m *ExpirationManager) Restore(errorFunc func()) (retErr error)
Restore is used to recover the lease states when starting. This is used after starting the vault.
func (*ExpirationManager) RestoreSaltedTokenCheck ¶ added in v0.8.2
func (m *ExpirationManager) RestoreSaltedTokenCheck(source string, saltedID string) (bool, error)
RestoreSaltedTokenCheck verifies that the token is not expired while running in restore mode. If we are not in restore mode, the lease has already been restored or the lease still has time left, it returns true.
func (*ExpirationManager) Revoke ¶
func (m *ExpirationManager) Revoke(leaseID string) error
Revoke is used to revoke a secret named by the given LeaseID
func (*ExpirationManager) RevokeByToken ¶
func (m *ExpirationManager) RevokeByToken(te *TokenEntry) error
RevokeByToken is used to revoke all the secrets issued with a given token. This is done by using the secondary index. It also removes the lease entry for the token itself. As a result it should *ONLY* ever be called from the token store's revokeSalted function.
func (*ExpirationManager) RevokeForce ¶ added in v0.5.2
func (m *ExpirationManager) RevokeForce(prefix string) error
RevokeForce works similarly to RevokePrefix but continues in the case of a revocation error; this is mostly meant for recovery operations
func (*ExpirationManager) RevokePrefix ¶
func (m *ExpirationManager) RevokePrefix(prefix string) error
RevokePrefix is used to revoke all secrets with a given prefix. The prefix maps to that of the mount table to make this simpler to reason about.
func (*ExpirationManager) Stop ¶
func (m *ExpirationManager) Stop() error
Stop is used to prevent further automatic revocations. This must be called before sealing the view.
func (*ExpirationManager) Tidy ¶ added in v0.7.1
func (m *ExpirationManager) Tidy() error
Tidy cleans up the dangling storage entries for leases. It scans the storage view to find all the available leases, checks if the token embedded in it is either empty or invalid and in both the cases, it revokes them. It also uses a token cache to avoid multiple lookups of the same token ID. It is normally not required to use the API that invokes this. This is only intended to clean up the corrupt storage due to bugs.
type GenerateRootConfig ¶ added in v0.5.0
type GenerateRootConfig struct { Nonce string PGPKey string PGPFingerprint string OTP string Strategy GenerateRootStrategy }
GenerateRootConfig holds the configuration for a root generation command.
type GenerateRootResult ¶ added in v0.5.0
type GenerateRootResult struct { Progress int Required int EncodedToken string PGPFingerprint string }
GenerateRootResult holds the result of a root generation update command
type GenerateRootStrategy ¶ added in v0.9.0
type GenerateRootStrategy interface {
// contains filtered or unexported methods
}
GenerateRootStrategy allows us to swap out the strategy we want to use to create a token upon completion of the generate root process.
var ( // GenerateStandardRootTokenStrategy is the strategy used to generate a // typical root token GenerateStandardRootTokenStrategy GenerateRootStrategy = generateStandardRootToken{} )
type IdentityStore ¶ added in v0.9.0
type IdentityStore struct { // IdentityStore is a secret backend in Vault *framework.Backend // contains filtered or unexported fields }
IdentityStore is composed of its own storage view and a MemDB which maintains active in-memory replicas of the storage contents indexed by multiple fields.
func NewIdentityStore ¶ added in v0.9.0
func NewIdentityStore(ctx context.Context, core *Core, config *logical.BackendConfig) (*IdentityStore, error)
NewIdentityStore creates a new identity store
func (*IdentityStore) CreateOrFetchEntity ¶ added in v0.9.4
CreateOrFetchEntity creates a new entity. This is used by core to associate each login attempt by an alias to a unified entity in Vault.
func (*IdentityStore) Invalidate ¶ added in v0.9.0
func (i *IdentityStore) Invalidate(ctx context.Context, key string)
Invalidate is a callback wherein the backend is informed that the value at the given key is updated. In identity store's case, it would be the entity storage entries that get updated. The value needs to be read and MemDB needs to be updated accordingly.
func (*IdentityStore) LockForEntityID ¶ added in v0.9.0
func (i *IdentityStore) LockForEntityID(entityID string) *locksutil.LockEntry
LockForEntityID returns the lock used to modify the entity.
func (*IdentityStore) MemDBAliasByCanonicalID ¶ added in v0.9.0
func (*IdentityStore) MemDBAliasByCanonicalIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBAliasByFactors ¶ added in v0.9.0
func (*IdentityStore) MemDBAliasByFactorsInTxn ¶ added in v0.9.4
func (*IdentityStore) MemDBAliasByID ¶ added in v0.9.0
func (*IdentityStore) MemDBAliasByIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBAliases ¶ added in v0.9.0
func (i *IdentityStore) MemDBAliases(ws memdb.WatchSet, groupAlias bool) (memdb.ResultIterator, error)
func (*IdentityStore) MemDBAliasesByMetadata ¶ added in v0.9.0
func (*IdentityStore) MemDBDeleteAliasByID ¶ added in v0.9.0
func (i *IdentityStore) MemDBDeleteAliasByID(aliasID string, groupAlias bool) error
func (*IdentityStore) MemDBDeleteAliasByIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBDeleteEntityByID ¶ added in v0.9.0
func (i *IdentityStore) MemDBDeleteEntityByID(entityID string) error
func (*IdentityStore) MemDBDeleteEntityByIDInTxn ¶ added in v0.9.0
func (i *IdentityStore) MemDBDeleteEntityByIDInTxn(txn *memdb.Txn, entityID string) error
func (*IdentityStore) MemDBDeleteGroupByIDInTxn ¶ added in v0.9.0
func (i *IdentityStore) MemDBDeleteGroupByIDInTxn(txn *memdb.Txn, groupID string) error
func (*IdentityStore) MemDBDeleteGroupByNameInTxn ¶ added in v0.9.0
func (i *IdentityStore) MemDBDeleteGroupByNameInTxn(txn *memdb.Txn, groupName string) error
func (*IdentityStore) MemDBEntities ¶ added in v0.9.0
func (i *IdentityStore) MemDBEntities(ws memdb.WatchSet) (memdb.ResultIterator, error)
func (*IdentityStore) MemDBEntitiesByBucketEntryKeyHash ¶ added in v0.9.0
func (i *IdentityStore) MemDBEntitiesByBucketEntryKeyHash(hashValue string) ([]*identity.Entity, error)
func (*IdentityStore) MemDBEntitiesByBucketEntryKeyHashInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBEntitiesByMetadata ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByAliasID ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByAliasIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByID ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByMergedEntityID ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByMergedEntityIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByName ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByNameInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByAliasID ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByAliasIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByID ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByName ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByNameInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupIterator ¶ added in v0.9.0
func (i *IdentityStore) MemDBGroupIterator(ws memdb.WatchSet) (memdb.ResultIterator, error)
func (*IdentityStore) MemDBGroupsByBucketEntryKeyHash ¶ added in v0.9.0
func (i *IdentityStore) MemDBGroupsByBucketEntryKeyHash(hashValue string) ([]*identity.Group, error)
func (*IdentityStore) MemDBGroupsByBucketEntryKeyHashInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupsByMemberEntityID ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupsByMemberEntityIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupsByParentGroupID ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupsByParentGroupIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupsByPolicy ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupsByPolicyInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBUpsertAlias ¶ added in v0.9.0
func (i *IdentityStore) MemDBUpsertAlias(alias *identity.Alias, groupAlias bool) error
func (*IdentityStore) MemDBUpsertAliasInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBUpsertEntity ¶ added in v0.9.0
func (i *IdentityStore) MemDBUpsertEntity(entity *identity.Entity) error
func (*IdentityStore) MemDBUpsertEntityInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBUpsertGroup ¶ added in v0.9.0
func (i *IdentityStore) MemDBUpsertGroup(group *identity.Group) error
func (*IdentityStore) MemDBUpsertGroupInTxn ¶ added in v0.9.0
func (*IdentityStore) UpsertGroup ¶ added in v0.9.0
func (i *IdentityStore) UpsertGroup(group *identity.Group, persist bool) error
type InitParams ¶ added in v0.6.2
type InitParams struct { BarrierConfig *SealConfig RecoveryConfig *SealConfig RootTokenPGPKey string }
InitParams keeps the init function from being littered with too many params, that's it!
type InitResult ¶
type InitResult struct { RootToken string }
InitResult is used to provide the key parts back after they are generated as part of the initialization.
type Key ¶ added in v0.2.0
Key represents a single term, along with the key used.
func DeserializeKey ¶ added in v0.2.0
DeserializeKey is used to deserialize and return a new key
type KeyNotFoundError ¶ added in v0.6.3
type KeyNotFoundError struct {
Err error
}
func (*KeyNotFoundError) Error ¶ added in v0.6.3
func (e *KeyNotFoundError) Error() string
func (*KeyNotFoundError) WrappedErrors ¶ added in v0.6.3
func (e *KeyNotFoundError) WrappedErrors() []error
type Keyring ¶ added in v0.2.0
type Keyring struct {
// contains filtered or unexported fields
}
Keyring is used to manage multiple encryption keys used by the barrier. New keys can be installed and each has a sequential term. The term used to encrypt a key is prefixed to the key written out. All data is encrypted with the latest key, but storing the old keys allows for decryption of keys written previously. Along with the encryption keys, the keyring also tracks the master key. This is necessary so that when a new key is added to the keyring, we can encrypt with the master key and write out the new keyring.
func DeserializeKeyring ¶ added in v0.2.0
DeserializeKeyring is used to deserialize and return a new keyring
func (*Keyring) ActiveTerm ¶ added in v0.2.0
ActiveTerm returns the currently active term
func (*Keyring) SetMasterKey ¶ added in v0.2.0
SetMasterKey is used to update the master key
type MountConfig ¶ added in v0.3.0
type MountConfig struct { DefaultLeaseTTL time.Duration `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` // Override for global default MaxLeaseTTL time.Duration `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"` // Override for global default ForceNoCache bool `json:"force_no_cache" structs:"force_no_cache" mapstructure:"force_no_cache"` // Override for global default PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"` }
MountConfig is used to hold settable options
type MountEntry ¶
type MountEntry struct { Table string `json:"table"` // The table it belongs to Path string `json:"path"` // Mount Path Type string `json:"type"` // Logical backend Type Description string `json:"description"` // User-provided description UUID string `json:"uuid"` // Barrier view UUID Accessor string `json:"accessor"` // Unique but more human-friendly ID. Does not change, not used for any sensitive things (like as a salt, which the UUID sometimes is). Config MountConfig `json:"config"` // Configuration related to this mount (but not backend-derived) Options map[string]string `json:"options"` // Backend options Local bool `json:"local"` // Local mounts are not replicated or affected by replication SealWrap bool `json:"seal_wrap"` // Whether to wrap CSPs Tainted bool `json:"tainted,omitempty"` // Set as a Write-Ahead flag for unmount/remount }
MountEntry is used to represent a mount table entry
func (*MountEntry) Clone ¶
func (e *MountEntry) Clone() (*MountEntry, error)
Clone returns a deep copy of the mount entry
type MountTable ¶
type MountTable struct { Type string `json:"type"` Entries []*MountEntry `json:"entries"` }
MountTable is used to represent the internal mount table
type NonFatalError ¶ added in v0.6.0
type NonFatalError struct {
Err error
}
NonFatalError is an error that can be returned during NewCore that should be displayed but not cause a program exit
func (*NonFatalError) Error ¶ added in v0.6.0
func (e *NonFatalError) Error() string
func (*NonFatalError) WrappedErrors ¶ added in v0.6.0
func (e *NonFatalError) WrappedErrors() []error
type PassthroughBackend ¶
PassthroughBackend is used storing secrets directly into the physical backend. The secrets are encrypted in the durable storage and custom TTL information can be specified, but otherwise this backend doesn't do anything fancy.
func (*PassthroughBackend) GeneratesLeases ¶ added in v0.3.0
func (b *PassthroughBackend) GeneratesLeases() bool
type PathRules ¶ added in v0.9.0
type PathRules struct { Prefix string Policy string Permissions *ACLPermissions Glob bool Capabilities []string // These keys are used at the top level to make the HCL nicer; we store in // the ACLPermissions object though MinWrappingTTLHCL interface{} `hcl:"min_wrapping_ttl"` MaxWrappingTTLHCL interface{} `hcl:"max_wrapping_ttl"` AllowedParametersHCL map[string][]interface{} `hcl:"allowed_parameters"` DeniedParametersHCL map[string][]interface{} `hcl:"denied_parameters"` RequiredParametersHCL []string `hcl:"required_parameters"` }
PathRules represents a policy for a path in the namespace.
type PluginCatalog ¶ added in v0.7.1
type PluginCatalog struct {
// contains filtered or unexported fields
}
PluginCatalog keeps a record of plugins known to vault. External plugins need to be registered to the catalog before they can be used in backends. Builtin plugins are automatically detected and included in the catalog.
func (*PluginCatalog) Delete ¶ added in v0.7.1
func (c *PluginCatalog) Delete(ctx context.Context, name string) error
Delete is used to remove an external plugin from the catalog. Builtin plugins can not be deleted.
func (*PluginCatalog) Get ¶ added in v0.7.1
func (c *PluginCatalog) Get(ctx context.Context, name string) (*pluginutil.PluginRunner, error)
Get retrieves a plugin with the specified name from the catalog. It first looks for external plugins with this name and then looks for builtin plugins. It returns a PluginRunner or an error if no plugin was found.
type Policy ¶
type Policy struct { Name string `hcl:"name"` Paths []*PathRules `hcl:"-"` Raw string Type PolicyType }
Policy is used to represent the policy specified by an ACL configuration.
func ParseACLPolicy ¶ added in v0.9.0
Parse is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL
type PolicyCheckOpts ¶ added in v0.9.0
type PolicyEntry ¶ added in v0.2.0
type PolicyEntry struct { Version int Raw string Type PolicyType }
PolicyEntry is used to store a policy by name
type PolicyStore ¶
type PolicyStore struct {
// contains filtered or unexported fields
}
PolicyStore is used to provide durable storage of policy, and to manage ACLs associated with them.
func NewPolicyStore ¶
func NewPolicyStore(ctx context.Context, core *Core, baseView *BarrierView, system logical.SystemView, logger log.Logger) *PolicyStore
NewPolicyStore creates a new PolicyStore that is backed using a given view. It used used to durable store and manage named policy.
func (*PolicyStore) DeletePolicy ¶
func (ps *PolicyStore) DeletePolicy(ctx context.Context, name string, policyType PolicyType) error
DeletePolicy is used to delete the named policy
func (*PolicyStore) GetPolicy ¶
func (ps *PolicyStore) GetPolicy(ctx context.Context, name string, policyType PolicyType) (*Policy, error)
GetPolicy is used to fetch the named policy
func (*PolicyStore) ListPolicies ¶
func (ps *PolicyStore) ListPolicies(ctx context.Context, policyType PolicyType) ([]string, error)
ListPolicies is used to list the available policies
type PolicyType ¶ added in v0.9.0
type PolicyType uint32
const ( PolicyTypeACL PolicyType = iota PolicyTypeRGP PolicyTypeEGP // Triggers a lookup in the map to figure out if ACL or RGP PolicyTypeToken )
func (PolicyType) String ¶ added in v0.9.0
func (p PolicyType) String() string
type RekeyBackup ¶ added in v0.5.0
RekeyBackup stores the backup copy of PGP-encrypted keys
type RekeyResult ¶ added in v0.2.0
RekeyResult is used to provide the key parts back after they are generated as part of the rekey.
type ReplicatedClusters ¶ added in v0.9.5
type ReplicatedClusters struct { }
This is used for enterprise replication information
type RequestForwardingClient ¶ added in v0.6.1
type RequestForwardingClient interface { ForwardRequest(ctx context.Context, in *forwarding.Request, opts ...grpc.CallOption) (*forwarding.Response, error) Echo(ctx context.Context, in *EchoRequest, opts ...grpc.CallOption) (*EchoReply, error) }
func NewRequestForwardingClient ¶ added in v0.6.1
func NewRequestForwardingClient(cc *grpc.ClientConn) RequestForwardingClient
type RequestForwardingServer ¶ added in v0.6.1
type RequestForwardingServer interface { ForwardRequest(context.Context, *forwarding.Request) (*forwarding.Response, error) Echo(context.Context, *EchoRequest) (*EchoReply, error) }
type RollbackManager ¶
type RollbackManager struct {
// contains filtered or unexported fields
}
RollbackManager is responsible for performing rollbacks of partial secrets within logical backends.
During normal operations, it is possible for logical backends to error partially through an operation. These are called "partial secrets": they are never sent back to a user, but they do need to be cleaned up. This manager handles that by periodically (on a timer) requesting that the backends clean up.
The RollbackManager periodically initiates a logical.RollbackOperation on every mounted logical backend. It ensures that only one rollback operation is in-flight at any given time within a single seal/unseal phase.
func NewRollbackManager ¶
func NewRollbackManager(logger log.Logger, backendsFunc func() []*MountEntry, router *Router, ctx context.Context) *RollbackManager
NewRollbackManager is used to create a new rollback manager
func (*RollbackManager) Rollback ¶
func (m *RollbackManager) Rollback(path string) error
Rollback is used to trigger an immediate rollback of the path, or to join an existing rollback operation if in flight.
func (*RollbackManager) Stop ¶
func (m *RollbackManager) Stop()
Stop stops the running manager. This will wait for any in-flight rollbacks to complete.
type Router ¶
type Router struct {
// contains filtered or unexported fields
}
Router is used to do prefix based routing of a request to a logical backend
func (*Router) MatchingBackend ¶ added in v0.3.0
MatchingBackend returns the backend used for a path
func (*Router) MatchingMount ¶
MatchingMount returns the mount prefix that would be used for a path
func (*Router) MatchingMountByAccessor ¶ added in v0.8.0
func (r *Router) MatchingMountByAccessor(mountAccessor string) *MountEntry
MatchingMountByAccessor returns the MountEntry by accessor lookup
func (*Router) MatchingMountByUUID ¶ added in v0.8.0
func (r *Router) MatchingMountByUUID(mountID string) *MountEntry
func (*Router) MatchingMountEntry ¶ added in v0.3.0
func (r *Router) MatchingMountEntry(path string) *MountEntry
MatchingMountEntry returns the MountEntry used for a path
func (*Router) MatchingStorageByAPIPath ¶ added in v0.9.0
MatchingStorageByAPIPath/StoragePath returns the storage used for API/Storage paths respectively
func (*Router) MatchingStorageByStoragePath ¶ added in v0.9.0
func (*Router) MatchingStoragePrefixByAPIPath ¶ added in v0.9.0
MatchingStoragePrefixByAPIPath/StoragePath returns the mount path matching and storage prefix matching the given API/Storage path respectively
func (*Router) MatchingStoragePrefixByStoragePath ¶ added in v0.9.0
func (*Router) MatchingSystemView ¶ added in v0.3.0
func (r *Router) MatchingSystemView(path string) logical.SystemView
MatchingSystemView returns the SystemView used for a path
func (*Router) Mount ¶
func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, storageView *BarrierView) error
Mount is used to expose a logical backend at a given prefix, using a unique salt, and the barrier view for that path.
func (*Router) MountConflict ¶ added in v0.9.0
MountConflict determines if there are potential path conflicts
func (*Router) RouteExistenceCheck ¶ added in v0.5.0
Route is used to route a given existence check request
func (*Router) Taint ¶
Taint is used to mark a path as tainted. This means only RollbackOperation RevokeOperation requests are allowed to proceed
type RouterAccess ¶ added in v0.9.0
type RouterAccess struct {
// contains filtered or unexported fields
}
RouterAccess provides access into some things necessary for testing
func NewRouterAccess ¶ added in v0.9.0
func NewRouterAccess(c *Core) *RouterAccess
func (*RouterAccess) StoragePrefixByAPIPath ¶ added in v0.9.0
func (r *RouterAccess) StoragePrefixByAPIPath(path string) (string, string, bool)
type Seal ¶ added in v0.6.0
type Seal interface { SetCore(*Core) Init(context.Context) error Finalize(context.Context) error StoredKeysSupported() bool SetStoredKeys(context.Context, [][]byte) error GetStoredKeys(context.Context) ([][]byte, error) BarrierType() string BarrierConfig(context.Context) (*SealConfig, error) SetBarrierConfig(context.Context, *SealConfig) error RecoveryKeySupported() bool RecoveryType() string RecoveryConfig(context.Context) (*SealConfig, error) SetRecoveryConfig(context.Context, *SealConfig) error SetRecoveryKey(context.Context, []byte) error VerifyRecoveryKey(context.Context, []byte) error }
func NewDefaultSeal ¶ added in v0.9.5
func NewDefaultSeal() Seal
func NewTestSeal ¶ added in v0.9.0
func NewTestSeal(t testing.T, opts *TestSealOpts) Seal
type SealAccess ¶ added in v0.6.0
type SealAccess struct {
// contains filtered or unexported fields
}
SealAccess is a wrapper around Seal that exposes accessor methods through Core.SealAccess() while restricting the ability to modify Core.seal itself.
func NewSealAccess ¶ added in v0.9.0
func NewSealAccess(seal Seal) *SealAccess
func (*SealAccess) BarrierConfig ¶ added in v0.6.0
func (s *SealAccess) BarrierConfig(ctx context.Context) (*SealConfig, error)
func (*SealAccess) ClearCaches ¶ added in v0.9.0
func (s *SealAccess) ClearCaches(ctx context.Context)
func (*SealAccess) RecoveryConfig ¶ added in v0.6.0
func (s *SealAccess) RecoveryConfig(ctx context.Context) (*SealConfig, error)
func (*SealAccess) RecoveryKeySupported ¶ added in v0.6.0
func (s *SealAccess) RecoveryKeySupported() bool
func (*SealAccess) StoredKeysSupported ¶ added in v0.6.0
func (s *SealAccess) StoredKeysSupported() bool
func (*SealAccess) VerifyRecoveryKey ¶ added in v0.9.0
func (s *SealAccess) VerifyRecoveryKey(ctx context.Context, key []byte) error
type SealConfig ¶
type SealConfig struct { // The type, for sanity checking Type string `json:"type"` // the N value of Shamir. SecretShares int `json:"secret_shares"` // SecretThreshold is the number of parts required to open the vault. This // is the T value of Shamir. SecretThreshold int `json:"secret_threshold"` // PGPKeys is the array of public PGP keys used, if requested, to encrypt // the output unseal tokens. If provided, it sets the value of // SecretShares. Ordering is important. PGPKeys []string `json:"pgp_keys"` // Nonce is a nonce generated by Vault used to ensure that when unseal keys // are submitted for a rekey operation, the rekey operation itself is the // one intended. This prevents hijacking of the rekey operation, since it // is unauthenticated. Nonce string `json:"nonce"` // Backup indicates whether or not a backup of PGP-encrypted unseal keys // should be stored at coreUnsealKeysBackupPath after successful rekeying. Backup bool `json:"backup"` StoredShares int `json:"stored_shares"` }
SealConfig is used to describe the seal configuration
func (*SealConfig) Clone ¶ added in v0.6.0
func (s *SealConfig) Clone() *SealConfig
func (*SealConfig) Validate ¶
func (s *SealConfig) Validate() error
Validate is used to sanity check the seal configuration
type SecurityBarrier ¶
type SecurityBarrier interface { // Initialized checks if the barrier has been initialized // and has a master key set. Initialized(ctx context.Context) (bool, error) // Initialize works only if the barrier has not been initialized // and makes use of the given master key. Initialize(context.Context, []byte) error // GenerateKey is used to generate a new key GenerateKey() ([]byte, error) // KeyLength is used to sanity check a key KeyLength() (int, int) // Sealed checks if the barrier has been unlocked yet. The Barrier // is not expected to be able to perform any CRUD until it is unsealed. Sealed() (bool, error) // Unseal is used to provide the master key which permits the barrier // to be unsealed. If the key is not correct, the barrier remains sealed. Unseal(ctx context.Context, key []byte) error // VerifyMaster is used to check if the given key matches the master key VerifyMaster(key []byte) error // SetMasterKey is used to directly set a new master key. This is used in // repliated scenarios due to the chicken and egg problem of reloading the // keyring from disk before we have the master key to decrypt it. SetMasterKey(key []byte) error // ReloadKeyring is used to re-read the underlying keyring. // This is used for HA deployments to ensure the latest keyring // is present in the leader. ReloadKeyring(ctx context.Context) error // ReloadMasterKey is used to re-read the underlying masterkey. // This is used for HA deployments to ensure the latest master key // is available for keyring reloading. ReloadMasterKey(ctx context.Context) error // Seal is used to re-seal the barrier. This requires the barrier to // be unsealed again to perform any further operations. Seal() error // Rotate is used to create a new encryption key. All future writes // should use the new key, while old values should still be decryptable. Rotate(ctx context.Context) (uint32, error) // CreateUpgrade creates an upgrade path key to the given term from the previous term CreateUpgrade(ctx context.Context, term uint32) error // DestroyUpgrade destroys the upgrade path key to the given term DestroyUpgrade(ctx context.Context, term uint32) error // CheckUpgrade looks for an upgrade to the current term and installs it CheckUpgrade(ctx context.Context) (bool, uint32, error) // ActiveKeyInfo is used to inform details about the active key ActiveKeyInfo() (*KeyInfo, error) // Rekey is used to change the master key used to protect the keyring Rekey(context.Context, []byte) error // For replication we must send over the keyring, so this must be available Keyring() (*Keyring, error) // SecurityBarrier must provide the storage APIs BarrierStorage // SecurityBarrier must provide the encryption APIs BarrierEncryptor }
SecurityBarrier is a critical component of Vault. It is used to wrap an untrusted physical backend and provide a single point of encryption, decryption and checksum verification. The goal is to ensure that any data written to the barrier is confidential and that integrity is preserved. As a real-world analogy, this is the steel and concrete wrapper around a Vault. The barrier should only be Unlockable given its key.
type SystemBackend ¶
type SystemBackend struct { *framework.Backend Core *Core // contains filtered or unexported fields }
SystemBackend implements logical.Backend and is used to interact with the core of the system. This backend is hardcoded to exist at the "sys" prefix. Conceptually it is similar to procfs on Linux.
func NewSystemBackend ¶
func NewSystemBackend(core *Core) *SystemBackend
type TestCluster ¶ added in v0.6.1
type TestCluster struct { BarrierKeys [][]byte RecoveryKeys [][]byte CACert *x509.Certificate CACertBytes []byte CACertPEM []byte CACertPEMFile string CAKey *ecdsa.PrivateKey CAKeyPEM []byte Cores []*TestClusterCore ID string RootToken string RootCAs *x509.CertPool TempDir string }
func NewTestCluster ¶ added in v0.8.0
func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *TestCluster
NewTestCluster creates a new test cluster based on the provided core config and test cluster options.
N.B. Even though a single base CoreConfig is provided, NewTestCluster will instantiate a core config for each core it creates. If separate seal per core is desired, opts.SealFunc can be provided to generate a seal for each one. Otherwise, the provided base.Seal will be shared among cores. NewCore's default behavior is to generate a new DefaultSeal if the provided Seal in coreConfig (i.e. base.Seal) is nil.
func (*TestCluster) Cleanup ¶ added in v0.8.0
func (c *TestCluster) Cleanup()
func (*TestCluster) EnsureCoresSealed ¶ added in v0.8.2
func (c *TestCluster) EnsureCoresSealed(t testing.T)
func (*TestCluster) Start ¶ added in v0.8.0
func (c *TestCluster) Start()
func (*TestCluster) UnsealWithStoredKeys ¶ added in v0.9.1
func (c *TestCluster) UnsealWithStoredKeys(t testing.T) error
UnsealWithStoredKeys uses stored keys to unseal the test cluster cores
type TestClusterCore ¶ added in v0.6.1
type TestClusterCore struct { *Core Client *api.Client Handler http.Handler Listeners []*TestListener ReloadFuncs *map[string][]reload.ReloadFunc ReloadFuncsLock *sync.RWMutex Server *http.Server ServerCert *x509.Certificate ServerCertBytes []byte ServerCertPEM []byte ServerKey *ecdsa.PrivateKey ServerKeyPEM []byte TLSConfig *tls.Config UnderlyingStorage physical.Backend }
type TestClusterOptions ¶ added in v0.8.0
type TestSealOpts ¶ added in v0.9.0
type TokenEntry ¶
type TokenEntry struct { // ID of this entry, generally a random UUID ID string `json:"id" mapstructure:"id" structs:"id" sentinel:""` // Accessor for this token, a random UUID Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor" sentinel:""` // Parent token, used for revocation trees Parent string `json:"parent" mapstructure:"parent" structs:"parent" sentinel:""` // Which named policies should be used Policies []string `json:"policies" mapstructure:"policies" structs:"policies"` // Used for audit trails, this is something like "auth/user/login" Path string `json:"path" mapstructure:"path" structs:"path"` // Used for auditing. This could include things like "source", "user", "ip" Meta map[string]string `json:"meta" mapstructure:"meta" structs:"meta" sentinel:"meta"` // Used for operators to be able to associate with the source DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"` // Used to restrict the number of uses (zero is unlimited). This is to // support one-time-tokens (generalized). There are a few special values: // if it's -1 it has run through its use counts and is executing its final // use; if it's -2 it is tainted, which means revocation is currently // running on it; and if it's -3 it's also tainted but revocation // previously ran and failed, so this hints the tidy function to try it // again. NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"` // Time of token creation CreationTime int64 `json:"creation_time" mapstructure:"creation_time" structs:"creation_time" sentinel:""` // Duration set when token was created TTL time.Duration `json:"ttl" mapstructure:"ttl" structs:"ttl" sentinel:""` // Explicit maximum TTL on the token ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl" sentinel:""` // If set, the role that was used for parameters at creation time Role string `json:"role" mapstructure:"role" structs:"role"` // If set, the period of the token. This is only used when created directly // through the create endpoint; periods managed by roles or other auth // backends are subject to those renewal rules. Period time.Duration `json:"period" mapstructure:"period" structs:"period" sentinel:""` // These are the deprecated fields DisplayNameDeprecated string `json:"DisplayName" mapstructure:"DisplayName" structs:"DisplayName" sentinel:""` NumUsesDeprecated int `json:"NumUses" mapstructure:"NumUses" structs:"NumUses" sentinel:""` CreationTimeDeprecated int64 `json:"CreationTime" mapstructure:"CreationTime" structs:"CreationTime" sentinel:""` ExplicitMaxTTLDeprecated time.Duration `json:"ExplicitMaxTTL" mapstructure:"ExplicitMaxTTL" structs:"ExplicitMaxTTL" sentinel:""` EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"` }
TokenEntry is used to represent a given token
func (*TokenEntry) SentinelGet ¶ added in v0.9.0
func (te *TokenEntry) SentinelGet(key string) (interface{}, error)
func (*TokenEntry) SentinelKeys ¶ added in v0.9.0
func (te *TokenEntry) SentinelKeys() []string
type TokenStore ¶
TokenStore is used to manage client tokens. Tokens are used for clients to authenticate, and each token is mapped to an applicable set of policy which is used for authorization.
func NewTokenStore ¶
func NewTokenStore(ctx context.Context, c *Core, config *logical.BackendConfig) (*TokenStore, error)
NewTokenStore is used to construct a token store that is backed by the given barrier view.
func (*TokenStore) Invalidate ¶ added in v0.8.0
func (ts *TokenStore) Invalidate(ctx context.Context, key string)
func (*TokenStore) Lookup ¶
func (ts *TokenStore) Lookup(ctx context.Context, id string) (*TokenEntry, error)
Lookup is used to find a token given its ID. It acquires a read lock, then calls lookupSalted.
func (*TokenStore) Revoke ¶
func (ts *TokenStore) Revoke(ctx context.Context, id string) error
Revoke is used to invalidate a given token, any child tokens will be orphaned.
func (*TokenStore) RevokeTree ¶
func (ts *TokenStore) RevokeTree(ctx context.Context, id string) error
RevokeTree is used to invalide a given token and all child tokens.
func (*TokenStore) SaltID ¶
func (ts *TokenStore) SaltID(id string) (string, error)
SaltID is used to apply a salt and hash to an ID to make sure its not reversible
func (*TokenStore) SetExpirationManager ¶
func (ts *TokenStore) SetExpirationManager(exp *ExpirationManager)
SetExpirationManager is used to provide the token store with an expiration manager. This is used to manage prefix based revocation of tokens and to tidy entries when removed from the token store.
func (*TokenStore) UseToken ¶
func (ts *TokenStore) UseToken(ctx context.Context, te *TokenEntry) (*TokenEntry, error)
UseToken is used to manage restricted use tokens and decrement their available uses. Returns two values: a potentially updated entry or, if the token has been revoked, nil; and whether an error was encountered. The locking here isn't perfect, as other parts of the code may update an entry, but usually none after the entry is already created...so this is pretty good.
func (*TokenStore) UseTokenByID ¶ added in v0.6.2
func (ts *TokenStore) UseTokenByID(ctx context.Context, id string) (*TokenEntry, error)
Source Files ¶
- acl.go
- audit.go
- audited_headers.go
- auth.go
- barrier.go
- barrier_access.go
- barrier_aes_gcm.go
- barrier_view.go
- capabilities.go
- cluster.go
- core.go
- cors.go
- dynamic_system_view.go
- expiration.go
- generate_root.go
- identity_lookup.go
- identity_store.go
- identity_store_aliases.go
- identity_store_entities.go
- identity_store_group_aliases.go
- identity_store_groups.go
- identity_store_schema.go
- identity_store_structs.go
- identity_store_upgrade.go
- identity_store_util.go
- init.go
- keyring.go
- logical_cubbyhole.go
- logical_passthrough.go
- logical_system.go
- logical_system_helpers.go
- mount.go
- plugin_catalog.go
- plugin_reload.go
- policy.go
- policy_store.go
- rekey.go
- request_forwarding.go
- request_forwarding_service.pb.go
- request_handling.go
- rollback.go
- router.go
- router_access.go
- seal.go
- seal_access.go
- seal_testing.go
- sealunwrapper.go
- testing.go
- token_store.go
- util.go
- wrapping.go