Documentation ¶
Index ¶
- Constants
- Variables
- func AddTestLogicalBackend(name string, factory logical.Factory) error
- func ClearView(view *BarrierView) error
- func CollectKeys(view *BarrierView) ([]string, error)
- func CubbyholeBackendFactory(conf *logical.BackendConfig) (logical.Backend, error)
- func GenerateRandBytes(length int) ([]byte, error)
- func LeaseSwitchedPassthroughBackend(conf *logical.BackendConfig, leases bool) (logical.Backend, error)
- func LeasedPassthroughBackendFactory(conf *logical.BackendConfig) (logical.Backend, error)
- func NewSystemBackend(core *Core, config *logical.BackendConfig) logical.Backend
- func PassthroughBackendFactory(conf *logical.BackendConfig) (logical.Backend, error)
- func ScanView(view *BarrierView, cb func(path string)) error
- func StartSSHHostTestServer() (string, error)
- func TestCoreInit(t *testing.T, core *Core) ([]byte, string)
- func TestCoreWithTokenStore(t *testing.T) (*Core, *TokenStore, []byte, string)
- func TestKeyCopy(key []byte) []byte
- type ACL
- type AESGCMBarrier
- func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error)
- func (b *AESGCMBarrier) CheckUpgrade() (bool, uint32, error)
- func (b *AESGCMBarrier) CreateUpgrade(term uint32) error
- func (b *AESGCMBarrier) Delete(key string) error
- func (b *AESGCMBarrier) DestroyUpgrade(term uint32) error
- func (b *AESGCMBarrier) GenerateKey() ([]byte, error)
- func (b *AESGCMBarrier) Get(key string) (*Entry, error)
- func (b *AESGCMBarrier) Initialize(key []byte) error
- func (b *AESGCMBarrier) Initialized() (bool, error)
- func (b *AESGCMBarrier) KeyLength() (int, int)
- func (b *AESGCMBarrier) List(prefix string) ([]string, error)
- func (b *AESGCMBarrier) Put(entry *Entry) error
- func (b *AESGCMBarrier) Rekey(key []byte) error
- func (b *AESGCMBarrier) ReloadKeyring() error
- func (b *AESGCMBarrier) ReloadMasterKey() error
- func (b *AESGCMBarrier) Rotate() (uint32, error)
- func (b *AESGCMBarrier) Seal() error
- func (b *AESGCMBarrier) Sealed() (bool, error)
- func (b *AESGCMBarrier) Unseal(key []byte) error
- func (b *AESGCMBarrier) VerifyMaster(key []byte) error
- type AuditBroker
- func (a *AuditBroker) Deregister(name string)
- func (a *AuditBroker) GetHash(name string, input string) (string, error)
- func (a *AuditBroker) IsRegistered(name string) bool
- func (a *AuditBroker) LogRequest(auth *logical.Auth, req *logical.Request, outerErr error) (reterr error)
- func (a *AuditBroker) LogResponse(auth *logical.Auth, req *logical.Request, resp *logical.Response, err error) (reterr error)
- func (a *AuditBroker) Register(name string, b audit.Backend, v *BarrierView)
- type BarrierStorage
- type BarrierView
- type Core
- func (c *Core) GenerateRootCancel() error
- func (c *Core) GenerateRootConfiguration() (*GenerateRootConfig, error)
- func (c *Core) GenerateRootInit(otp, pgpKey string) error
- func (c *Core) GenerateRootProgress() (int, error)
- func (c *Core) GenerateRootUpdate(key []byte, nonce string) (*GenerateRootResult, error)
- func (c *Core) HandleRequest(req *logical.Request) (resp *logical.Response, err error)
- func (c *Core) Initialize(config *SealConfig) (*InitResult, error)
- func (c *Core) Initialized() (bool, error)
- func (c *Core) Leader() (bool, string, error)
- func (c *Core) RekeyCancel() error
- func (c *Core) RekeyConfig() (*SealConfig, error)
- func (c *Core) RekeyDeleteBackup() error
- func (c *Core) RekeyInit(config *SealConfig) error
- func (c *Core) RekeyProgress() (int, error)
- func (c *Core) RekeyRetrieveBackup() (*RekeyBackup, error)
- func (c *Core) RekeyUpdate(key []byte, nonce string) (*RekeyResult, error)
- func (c *Core) ResetUnsealProcess()
- func (c *Core) Seal(token string) (retErr error)
- func (c *Core) SealConfig() (*SealConfig, error)
- func (c *Core) Sealed() (bool, error)
- func (c *Core) SecretProgress() int
- func (c *Core) Shutdown() error
- func (c *Core) Standby() (bool, error)
- func (c *Core) Unseal(key []byte) (bool, error)
- type CoreConfig
- type CubbyholeBackend
- type EncodedKeyring
- type Entry
- type ErrInvalidKey
- type ExpirationManager
- func (m *ExpirationManager) FetchLeaseTimes(leaseID string) (*leaseEntry, error)
- func (m *ExpirationManager) FetchLeaseTimesByToken(source, token string) (*leaseEntry, error)
- func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Response) (string, error)
- func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) error
- func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*logical.Response, error)
- func (m *ExpirationManager) RenewToken(req *logical.Request, source string, token string, increment time.Duration) (*logical.Auth, error)
- func (m *ExpirationManager) Restore() error
- func (m *ExpirationManager) Revoke(leaseID string) error
- func (m *ExpirationManager) RevokeByToken(token string) error
- func (m *ExpirationManager) RevokePrefix(prefix string) error
- func (m *ExpirationManager) Stop() error
- type GenerateRootConfig
- type GenerateRootResult
- type InitResult
- type Key
- type KeyInfo
- type Keyring
- func (k *Keyring) ActiveKey() *Key
- func (k *Keyring) ActiveTerm() uint32
- func (k *Keyring) AddKey(key *Key) (*Keyring, error)
- func (k *Keyring) Clone() *Keyring
- func (k *Keyring) MasterKey() []byte
- func (k *Keyring) RemoveKey(term uint32) (*Keyring, error)
- func (k *Keyring) Serialize() ([]byte, error)
- func (k *Keyring) SetMasterKey(val []byte) *Keyring
- func (k *Keyring) TermKey(term uint32) *Key
- type MountConfig
- type MountEntry
- type MountTable
- type PassthroughBackend
- type PathCapabilities
- type Policy
- type PolicyEntry
- type PolicyStore
- type RekeyBackup
- type RekeyResult
- type RollbackManager
- type Router
- func (r *Router) LoginPath(path string) bool
- func (r *Router) MatchingBackend(path string) logical.Backend
- func (r *Router) MatchingMount(path string) string
- func (r *Router) MatchingMountEntry(path string) *MountEntry
- func (r *Router) MatchingStorageView(path string) *BarrierView
- func (r *Router) MatchingSystemView(path string) logical.SystemView
- func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, ...) error
- func (r *Router) Remount(src, dst string) error
- func (r *Router) RootPath(path string) bool
- func (r *Router) Route(req *logical.Request) (*logical.Response, error)
- func (r *Router) RouteExistenceCheck(req *logical.Request) (bool, bool, error)
- func (r *Router) Taint(path string) error
- func (r *Router) Unmount(prefix string) error
- func (r *Router) Untaint(path string) error
- type SealConfig
- type SecurityBarrier
- type SystemBackend
- type TokenEntry
- type TokenStore
- func (ts *TokenStore) Lookup(id string) (*TokenEntry, error)
- func (ts *TokenStore) Revoke(id string) error
- func (ts *TokenStore) RevokeTree(id string) error
- func (ts *TokenStore) SaltID(id string) string
- func (ts *TokenStore) SetExpirationManager(exp *ExpirationManager)
- func (ts *TokenStore) UseToken(te *TokenEntry) error
Constants ¶
const ( AESGCMVersion1 = 0x1 AESGCMVersion2 = 0x2 )
Versions of the AESGCM storage methodology
const ( DenyCapability = "deny" CreateCapability = "create" ReadCapability = "read" UpdateCapability = "update" DeleteCapability = "delete" ListCapability = "list" SudoCapability = "sudo" // Backwards compatibility OldDenyPathPolicy = "deny" OldReadPathPolicy = "read" OldWritePathPolicy = "write" OldSudoPathPolicy = "sudo" )
const ( DenyCapabilityInt uint32 = 1 << iota CreateCapabilityInt ReadCapabilityInt UpdateCapabilityInt DeleteCapabilityInt ListCapabilityInt SudoCapabilityInt )
Variables ¶
var ( // ErrBarrierSealed is returned if an operation is performed on // a sealed barrier. No operation is expected to succeed before unsealing ErrBarrierSealed = errors.New("Vault is sealed") // ErrBarrierAlreadyInit is returned if the barrier is already // initialized. This prevents a re-initialization. ErrBarrierAlreadyInit = errors.New("Vault is already initialized") // ErrBarrierNotInit is returned if a non-initialized barrier // is attempted to be unsealed. ErrBarrierNotInit = errors.New("Vault is not initialized") // ErrBarrierInvalidKey is returned if the Unseal key is invalid ErrBarrierInvalidKey = errors.New("Unseal failed, invalid key") )
var ( // ErrSealed is returned if an operation is performed on // a sealed barrier. No operation is expected to succeed before unsealing ErrSealed = errors.New("Vault is sealed") // ErrStandby is returned if an operation is performed on // a standby Vault. No operation is expected to succeed until active. ErrStandby = errors.New("Vault is in standby mode") // ErrAlreadyInit is returned if the core is already // initialized. This prevents a re-initialization. ErrAlreadyInit = errors.New("Vault is already initialized") // ErrNotInit is returned if a non-initialized barrier // is attempted to be unsealed. ErrNotInit = errors.New("Vault is not initialized") // ErrInternalError is returned when we don't want to leak // any information about an internal error ErrInternalError = errors.New("internal error") // ErrHANotEnabled is returned if the operation only makes sense // in an HA setting ErrHANotEnabled = errors.New("Vault is not configured for highly-available mode") )
Functions ¶
func AddTestLogicalBackend ¶ added in v0.3.0
This adds a logical backend for the test core. This needs to be invoked before the test core is created.
func ClearView ¶
func ClearView(view *BarrierView) error
ClearView is used to delete all the keys in a view
func CollectKeys ¶
func CollectKeys(view *BarrierView) ([]string, error)
CollectKeys is used to collect all the keys in a view
func CubbyholeBackendFactory ¶ added in v0.3.0
func CubbyholeBackendFactory(conf *logical.BackendConfig) (logical.Backend, error)
CubbyholeBackendFactory constructs a new cubbyhole backend
func GenerateRandBytes ¶ added in v0.5.0
func LeaseSwitchedPassthroughBackend ¶ added in v0.3.0
func LeaseSwitchedPassthroughBackend(conf *logical.BackendConfig, leases bool) (logical.Backend, error)
LeaseSwitchedPassthroughBackendFactory returns a PassthroughBackend with leases switched on or off
func LeasedPassthroughBackendFactory ¶ added in v0.3.0
func LeasedPassthroughBackendFactory(conf *logical.BackendConfig) (logical.Backend, error)
PassthroughBackendWithLeasesFactory returns a PassthroughBackend with leases switched on
func NewSystemBackend ¶
func NewSystemBackend(core *Core, config *logical.BackendConfig) logical.Backend
func PassthroughBackendFactory ¶
func PassthroughBackendFactory(conf *logical.BackendConfig) (logical.Backend, error)
PassthroughBackendFactory returns a PassthroughBackend with leases switched off
func ScanView ¶
func ScanView(view *BarrierView, cb func(path string)) error
ScanView is used to scan all the keys in a view iteratively
func StartSSHHostTestServer ¶ added in v0.3.0
Starts the test server which responds to SSH authentication. Used to test the SSH secret backend.
func TestCoreInit ¶
TestCoreInit initializes the core with a single key, and returns the key that must be used to unseal the core and a root token.
func TestCoreWithTokenStore ¶ added in v0.5.0
TestCoreWithTokenStore returns an in-memory core that has a token store mounted, so that logical token functions can be used
func TestKeyCopy ¶
TestKeyCopy is a silly little function to just copy the key so that it can be used with Unseal easily.
Types ¶
type ACL ¶
type ACL struct {
// contains filtered or unexported fields
}
ACL is used to wrap a set of policies to provide an efficient interface for access control.
type AESGCMBarrier ¶
type AESGCMBarrier struct {
// contains filtered or unexported fields
}
AESGCMBarrier is a SecurityBarrier implementation that uses the AES cipher core and the Galois Counter Mode block mode. It defaults to the golang NONCE default value of 12 and a key size of 256 bit. AES-GCM is high performance, and provides both confidentiality and integrity.
func NewAESGCMBarrier ¶
func NewAESGCMBarrier(physical physical.Backend) (*AESGCMBarrier, error)
NewAESGCMBarrier is used to construct a new barrier that uses the provided physical backend for storage.
func (*AESGCMBarrier) ActiveKeyInfo ¶ added in v0.2.0
func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error)
ActiveKeyInfo is used to inform details about the active key
func (*AESGCMBarrier) CheckUpgrade ¶ added in v0.2.0
func (b *AESGCMBarrier) CheckUpgrade() (bool, uint32, error)
CheckUpgrade looks for an upgrade to the current term and installs it
func (*AESGCMBarrier) CreateUpgrade ¶ added in v0.2.0
func (b *AESGCMBarrier) CreateUpgrade(term uint32) error
CreateUpgrade creates an upgrade path key to the given term from the previous term
func (*AESGCMBarrier) Delete ¶
func (b *AESGCMBarrier) Delete(key string) error
Delete is used to permanently delete an entry
func (*AESGCMBarrier) DestroyUpgrade ¶ added in v0.2.0
func (b *AESGCMBarrier) DestroyUpgrade(term uint32) error
DestroyUpgrade destroys the upgrade path key to the given term
func (*AESGCMBarrier) GenerateKey ¶
func (b *AESGCMBarrier) GenerateKey() ([]byte, error)
GenerateKey is used to generate a new key
func (*AESGCMBarrier) Get ¶
func (b *AESGCMBarrier) Get(key string) (*Entry, error)
Get is used to fetch an entry
func (*AESGCMBarrier) Initialize ¶
func (b *AESGCMBarrier) Initialize(key []byte) error
Initialize works only if the barrier has not been initialized and makes use of the given master key.
func (*AESGCMBarrier) Initialized ¶
func (b *AESGCMBarrier) Initialized() (bool, error)
Initialized checks if the barrier has been initialized and has a master key set.
func (*AESGCMBarrier) KeyLength ¶
func (b *AESGCMBarrier) KeyLength() (int, int)
KeyLength is used to sanity check a key
func (*AESGCMBarrier) List ¶
func (b *AESGCMBarrier) List(prefix string) ([]string, error)
List is used ot list all the keys under a given prefix, up to the next prefix.
func (*AESGCMBarrier) Put ¶
func (b *AESGCMBarrier) Put(entry *Entry) error
Put is used to insert or update an entry
func (*AESGCMBarrier) Rekey ¶ added in v0.2.0
func (b *AESGCMBarrier) Rekey(key []byte) error
Rekey is used to change the master key used to protect the keyring
func (*AESGCMBarrier) ReloadKeyring ¶ added in v0.2.0
func (b *AESGCMBarrier) ReloadKeyring() error
ReloadKeyring is used to re-read the underlying keyring. This is used for HA deployments to ensure the latest keyring is present in the leader.
func (*AESGCMBarrier) ReloadMasterKey ¶ added in v0.2.0
func (b *AESGCMBarrier) ReloadMasterKey() error
ReloadMasterKey is used to re-read the underlying masterkey. This is used for HA deployments to ensure the latest master key is available for keyring reloading.
func (*AESGCMBarrier) Rotate ¶ added in v0.2.0
func (b *AESGCMBarrier) Rotate() (uint32, error)
Rotate is used to create a new encryption key. All future writes should use the new key, while old values should still be decryptable.
func (*AESGCMBarrier) Seal ¶
func (b *AESGCMBarrier) Seal() error
Seal is used to re-seal the barrier. This requires the barrier to be unsealed again to perform any further operations.
func (*AESGCMBarrier) Sealed ¶
func (b *AESGCMBarrier) Sealed() (bool, error)
Sealed checks if the barrier has been unlocked yet. The Barrier is not expected to be able to perform any CRUD until it is unsealed.
func (*AESGCMBarrier) Unseal ¶
func (b *AESGCMBarrier) Unseal(key []byte) error
Unseal is used to provide the master key which permits the barrier to be unsealed. If the key is not correct, the barrier remains sealed.
func (*AESGCMBarrier) VerifyMaster ¶ added in v0.2.0
func (b *AESGCMBarrier) VerifyMaster(key []byte) error
VerifyMaster is used to check if the given key matches the master key
type AuditBroker ¶
type AuditBroker struct {
// contains filtered or unexported fields
}
AuditBroker is used to provide a single ingest interface to auditable events given that multiple backends may be configured.
func NewAuditBroker ¶
func NewAuditBroker(log *log.Logger) *AuditBroker
NewAuditBroker creates a new audit broker
func (*AuditBroker) Deregister ¶
func (a *AuditBroker) Deregister(name string)
Deregister is used to remove an audit backend from the broker
func (*AuditBroker) GetHash ¶ added in v0.4.0
func (a *AuditBroker) GetHash(name string, input string) (string, error)
GetHash returns a hash using the salt of the given backend
func (*AuditBroker) IsRegistered ¶
func (a *AuditBroker) IsRegistered(name string) bool
IsRegistered is used to check if a given audit backend is registered
func (*AuditBroker) LogRequest ¶
func (a *AuditBroker) LogRequest(auth *logical.Auth, req *logical.Request, outerErr error) (reterr error)
LogRequest is used to ensure all the audit backends have an opportunity to log the given request and that *at least one* succeeds.
func (*AuditBroker) LogResponse ¶
func (a *AuditBroker) LogResponse(auth *logical.Auth, req *logical.Request, resp *logical.Response, err error) (reterr error)
LogResponse is used to ensure all the audit backends have an opportunity to log the given response and that *at least one* succeeds.
func (*AuditBroker) Register ¶
func (a *AuditBroker) Register(name string, b audit.Backend, v *BarrierView)
Register is used to add new audit backend to the broker
type BarrierStorage ¶
type BarrierStorage interface { // Put is used to insert or update an entry Put(entry *Entry) error // Get is used to fetch an entry Get(key string) (*Entry, error) // Delete is used to permanently delete an entry Delete(key string) error // List is used ot list all the keys under a given // prefix, up to the next prefix. List(prefix string) ([]string, error) }
BarrierStorage is the storage only interface required for a Barrier.
type BarrierView ¶
type BarrierView struct {
// contains filtered or unexported fields
}
BarrierView wraps a SecurityBarrier and ensures all access is automatically prefixed. This is used to prevent anyone with access to the view to access any data in the durable storage outside of their prefix. Conceptually this is like a "chroot" into the barrier.
BarrierView implements logical.Storage so it can be passed in as the durable storage mechanism for logical views.
func NewBarrierView ¶
func NewBarrierView(barrier BarrierStorage, prefix string) *BarrierView
NewBarrierView takes an underlying security barrier and returns a view of it that can only operate with the given prefix.
func (*BarrierView) Get ¶
func (v *BarrierView) Get(key string) (*logical.StorageEntry, error)
logical.Storage impl.
func (*BarrierView) List ¶
func (v *BarrierView) List(prefix string) ([]string, error)
logical.Storage impl.
func (*BarrierView) Put ¶
func (v *BarrierView) Put(entry *logical.StorageEntry) error
logical.Storage impl.
func (*BarrierView) SubView ¶
func (v *BarrierView) SubView(prefix string) *BarrierView
SubView constructs a nested sub-view using the given prefix
type Core ¶
type Core struct {
// contains filtered or unexported fields
}
Core is used as the central manager of Vault activity. It is the primary point of interface for API handlers and is responsible for managing the logical and physical backends, router, security barrier, and audit trails.
func NewCore ¶
func NewCore(conf *CoreConfig) (*Core, error)
NewCore is used to construct a new core
func TestCoreUnsealed ¶
TestCoreUnsealed returns a pure in-memory core that is already initialized and unsealed.
func (*Core) GenerateRootCancel ¶ added in v0.5.0
GenerateRootCancel is used to cancel an in-progress root generation
func (*Core) GenerateRootConfiguration ¶ added in v0.5.0
func (c *Core) GenerateRootConfiguration() (*GenerateRootConfig, error)
GenerateRootConfig is used to read the root generation configuration It stubbornly refuses to return the OTP if one is there.
func (*Core) GenerateRootInit ¶ added in v0.5.0
GenerateRootInit is used to initialize the root generation settings
func (*Core) GenerateRootProgress ¶ added in v0.5.0
GenerateRoot is used to return the root generation progress (num shares)
func (*Core) GenerateRootUpdate ¶ added in v0.5.0
func (c *Core) GenerateRootUpdate(key []byte, nonce string) (*GenerateRootResult, error)
GenerateRootUpdate is used to provide a new key part
func (*Core) HandleRequest ¶
HandleRequest is used to handle a new incoming request
func (*Core) Initialize ¶
func (c *Core) Initialize(config *SealConfig) (*InitResult, error)
Initialize is used to initialize the Vault with the given configurations.
func (*Core) Initialized ¶
Initialized checks if the Vault is already initialized
func (*Core) RekeyCancel ¶ added in v0.2.0
RekeyCancel is used to cancel an inprogress rekey
func (*Core) RekeyConfig ¶ added in v0.2.0
func (c *Core) RekeyConfig() (*SealConfig, error)
RekeyConfig is used to read the rekey configuration
func (*Core) RekeyDeleteBackup ¶ added in v0.5.0
RekeyDeleteBackup is used to delete any backed-up PGP-encrypted unseal keys
func (*Core) RekeyInit ¶ added in v0.2.0
func (c *Core) RekeyInit(config *SealConfig) error
RekeyInit is used to initialize the rekey settings
func (*Core) RekeyProgress ¶ added in v0.2.0
RekeyProgress is used to return the rekey progress (num shares)
func (*Core) RekeyRetrieveBackup ¶ added in v0.5.0
func (c *Core) RekeyRetrieveBackup() (*RekeyBackup, error)
RekeyRetrieveBackup is used to retrieve any backed-up PGP-encrypted unseal keys
func (*Core) RekeyUpdate ¶ added in v0.2.0
func (c *Core) RekeyUpdate(key []byte, nonce string) (*RekeyResult, error)
RekeyUpdate is used to provide a new key part
func (*Core) ResetUnsealProcess ¶ added in v0.4.0
func (c *Core) ResetUnsealProcess()
ResetUnsealProcess removes the current unlock parts from memory, to reset the unsealing process
func (*Core) Seal ¶
Seal is used to re-seal the Vault. This requires the Vault to be unsealed again to perform any further operations.
func (*Core) SealConfig ¶
func (c *Core) SealConfig() (*SealConfig, error)
SealConfiguration is used to return information about the configuration of the Vault and it's current status.
func (*Core) SecretProgress ¶
SecretProgress returns the number of keys provided so far
func (*Core) Shutdown ¶ added in v0.2.0
Shutdown is invoked when the Vault instance is about to be terminated. It should not be accessible as part of an API call as it will cause an availability problem. It is only used to gracefully quit in the case of HA so that failover happens as quickly as possible.
type CoreConfig ¶
type CoreConfig struct { LogicalBackends map[string]logical.Factory CredentialBackends map[string]logical.Factory AuditBackends map[string]audit.Factory Physical physical.Backend HAPhysical physical.HABackend // May be nil, which disables HA operations Logger *log.Logger DisableCache bool // Disables the LRU cache on the physical backend DisableMlock bool // Disables mlock syscall CacheSize int // Custom cache size of zero for default AdvertiseAddr string // Set as the leader address for HA DefaultLeaseTTL time.Duration MaxLeaseTTL time.Duration }
CoreConfig is used to parameterize a core
type CubbyholeBackend ¶ added in v0.3.0
CubbyholeBackend is used for storing secrets directly into the physical backend. The secrets are encrypted in the durable storage. This differs from generic in that every token has its own private storage view. The view is removed when the token expires.
type EncodedKeyring ¶ added in v0.2.0
EncodedKeyring is used for serialization of the keyring
type Entry ¶
Entry is used to represent data stored by the security barrier
func (*Entry) Logical ¶
func (e *Entry) Logical() *logical.StorageEntry
Logical turns the Entry into a logical storage entry.
type ErrInvalidKey ¶
type ErrInvalidKey struct {
Reason string
}
ErrInvalidKey is returned if there is an error with a provided unseal key.
func (*ErrInvalidKey) Error ¶
func (e *ErrInvalidKey) Error() string
type ExpirationManager ¶
type ExpirationManager struct {
// contains filtered or unexported fields
}
ExpirationManager is used by the Core to manage leases. Secrets can provide a lease, meaning that they can be renewed or revoked. If a secret is not renewed in timely manner, it may be expired, and the ExpirationManager will handle doing automatic revocation.
func NewExpirationManager ¶
func NewExpirationManager(router *Router, view *BarrierView, ts *TokenStore, logger *log.Logger) *ExpirationManager
NewExpirationManager creates a new ExpirationManager that is backed using a given view, and uses the provided router for revocation.
func (*ExpirationManager) FetchLeaseTimes ¶ added in v0.5.0
func (m *ExpirationManager) FetchLeaseTimes(leaseID string) (*leaseEntry, error)
FetchLeaseTimes is used to fetch the issue time, expiration time, and last renewed time of a lease entry. It returns a leaseEntry itself, but with only those values copied over.
func (*ExpirationManager) FetchLeaseTimesByToken ¶ added in v0.5.0
func (m *ExpirationManager) FetchLeaseTimesByToken(source, token string) (*leaseEntry, error)
FetchLeaseTimesByToken is a helper function to use token values to compute the leaseID, rather than pushing that logic back into the token store.
func (*ExpirationManager) Register ¶
Register is used to take a request and response with an associated lease. The secret gets assigned a LeaseID and the management of of lease is assumed by the expiration manager.
func (*ExpirationManager) RegisterAuth ¶
func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) error
RegisterAuth is used to take an Auth response with an associated lease. The token does not get a LeaseID, but the lease management is handled by the expiration manager.
func (*ExpirationManager) Renew ¶
func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*logical.Response, error)
Renew is used to renew a secret using the given leaseID and a renew interval. The increment may be ignored.
func (*ExpirationManager) RenewToken ¶
func (m *ExpirationManager) RenewToken(req *logical.Request, source string, token string, increment time.Duration) (*logical.Auth, error)
RenewToken is used to renew a token which does not need to invoke a logical backend.
func (*ExpirationManager) Restore ¶
func (m *ExpirationManager) Restore() error
Restore is used to recover the lease states when starting. This is used after starting the vault.
func (*ExpirationManager) Revoke ¶
func (m *ExpirationManager) Revoke(leaseID string) error
Revoke is used to revoke a secret named by the given LeaseID
func (*ExpirationManager) RevokeByToken ¶
func (m *ExpirationManager) RevokeByToken(token string) error
RevokeByToken is used to revoke all the secrets issued with a given token. This is done by using the secondary index.
func (*ExpirationManager) RevokePrefix ¶
func (m *ExpirationManager) RevokePrefix(prefix string) error
RevokePrefix is used to revoke all secrets with a given prefix. The prefix maps to that of the mount table to make this simpler to reason about.
func (*ExpirationManager) Stop ¶
func (m *ExpirationManager) Stop() error
Stop is used to prevent further automatic revocations. This must be called before sealing the view.
type GenerateRootConfig ¶ added in v0.5.0
GenerateRootConfig holds the configuration for a root generation command.
type GenerateRootResult ¶ added in v0.5.0
type GenerateRootResult struct { Progress int Required int EncodedRootToken string PGPFingerprint string }
GenerateRootResult holds the result of a root generation update command
type InitResult ¶
type InitResult struct { RootToken string }
InitResult is used to provide the key parts back after they are generated as part of the initialization.
type Key ¶ added in v0.2.0
Key represents a single term, along with the key used.
func DeserializeKey ¶ added in v0.2.0
DeserializeKey is used to deserialize and return a new key
type Keyring ¶ added in v0.2.0
type Keyring struct {
// contains filtered or unexported fields
}
Keyring is used to manage multiple encryption keys used by the barrier. New keys can be installed and each has a sequential term. The term used to encrypt a key is prefixed to the key written out. All data is encrypted with the latest key, but storing the old keys allows for decryption of keys written previously. Along with the encryption keys, the keyring also tracks the master key. This is necessary so that when a new key is added to the keyring, we can encrypt with the master key and write out the new keyring.
func DeserializeKeyring ¶ added in v0.2.0
DeserializeKeyring is used to deserialize and return a new keyring
func (*Keyring) ActiveTerm ¶ added in v0.2.0
ActiveTerm returns the currently active term
func (*Keyring) SetMasterKey ¶ added in v0.2.0
SetMasterKey is used to update the master key
type MountConfig ¶ added in v0.3.0
type MountConfig struct { DefaultLeaseTTL time.Duration `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` // Override for global default MaxLeaseTTL time.Duration `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"` // Override for global default }
MountConfig is used to hold settable options
type MountEntry ¶
type MountEntry struct { Path string `json:"path"` // Mount Path Type string `json:"type"` // Logical backend Type Description string `json:"description"` // User-provided description UUID string `json:"uuid"` // Barrier view UUID Config MountConfig `json:"config"` // Configuration related to this mount (but not backend-derived) Options map[string]string `json:"options"` // Backend options Tainted bool `json:"tainted,omitempty"` // Set as a Write-Ahead flag for unmount/remount }
MountEntry is used to represent a mount table entry
func (*MountEntry) Clone ¶
func (e *MountEntry) Clone() *MountEntry
Returns a deep copy of the mount entry
type MountTable ¶
type MountTable struct {
Entries []*MountEntry `json:"entries"`
}
MountTable is used to represent the internal mount table
func (*MountTable) Find ¶
func (t *MountTable) Find(path string) *MountEntry
Find is used to lookup an entry
func (*MountTable) Hash ¶
func (t *MountTable) Hash() ([]byte, error)
Hash is used to generate a hash value for the mount table
func (*MountTable) Remove ¶
func (t *MountTable) Remove(path string) bool
Remove is used to remove a given path entry
func (*MountTable) SetTaint ¶
func (t *MountTable) SetTaint(path string, value bool) bool
SetTaint is used to set the taint on given entry
func (*MountTable) ShallowClone ¶ added in v0.3.0
func (t *MountTable) ShallowClone() *MountTable
ShallowClone returns a copy of the mount table that keeps the MountEntry locations, so as not to invalidate other locations holding pointers. Care needs to be taken if modifying entries rather than modifying the table itself
type PassthroughBackend ¶
PassthroughBackend is used storing secrets directly into the physical backend. The secrets are encrypted in the durable storage and custom TTL information can be specified, but otherwise this backend doesn't do anything fancy.
func (*PassthroughBackend) GeneratesLeases ¶ added in v0.3.0
func (b *PassthroughBackend) GeneratesLeases() bool
type PathCapabilities ¶ added in v0.5.0
type PathCapabilities struct { Prefix string `hcl:",key"` Policy string Capabilities []string CapabilitiesBitmap uint32 `hcl:"-"` Glob bool }
Capability represents a policy for a path in the namespace
type Policy ¶
type Policy struct { Name string `hcl:"name"` Paths []*PathCapabilities `hcl:"path,expand"` Raw string }
Policy is used to represent the policy specified by an ACL configuration.
type PolicyEntry ¶ added in v0.2.0
PolicyEntry is used to store a policy by name
type PolicyStore ¶
type PolicyStore struct {
// contains filtered or unexported fields
}
PolicyStore is used to provide durable storage of policy, and to manage ACLs associated with them.
func NewPolicyStore ¶
func NewPolicyStore(view *BarrierView) *PolicyStore
NewPolicyStore creates a new PolicyStore that is backed using a given view. It used used to durable store and manage named policy.
func (*PolicyStore) ACL ¶
func (ps *PolicyStore) ACL(names ...string) (*ACL, error)
ACL is used to return an ACL which is built using the named policies.
func (*PolicyStore) DeletePolicy ¶
func (ps *PolicyStore) DeletePolicy(name string) error
DeletePolicy is used to delete the named policy
func (*PolicyStore) GetPolicy ¶
func (ps *PolicyStore) GetPolicy(name string) (*Policy, error)
GetPolicy is used to fetch the named policy
func (*PolicyStore) ListPolicies ¶
func (ps *PolicyStore) ListPolicies() ([]string, error)
ListPolicies is used to list the available policies
func (*PolicyStore) SetPolicy ¶
func (ps *PolicyStore) SetPolicy(p *Policy) error
SetPolicy is used to create or update the given policy
type RekeyBackup ¶ added in v0.5.0
RekeyBackup stores the backup copy of PGP-encrypted keys
type RekeyResult ¶ added in v0.2.0
RekeyResult is used to provide the key parts back after they are generated as part of the rekey.
type RollbackManager ¶
type RollbackManager struct {
// contains filtered or unexported fields
}
RollbackManager is responsible for performing rollbacks of partial secrets within logical backends.
During normal operations, it is possible for logical backends to error partially through an operation. These are called "partial secrets": they are never sent back to a user, but they do need to be cleaned up. This manager handles that by periodically (on a timer) requesting that the backends clean up.
The RollbackManager periodically initiates a logical.RollbackOperation on every mounted logical backend. It ensures that only one rollback operation is in-flight at any given time within a single seal/unseal phase.
func NewRollbackManager ¶
func NewRollbackManager(logger *log.Logger, mounts func() []*MountEntry, router *Router) *RollbackManager
NewRollbackManager is used to create a new rollback manager
func (*RollbackManager) Rollback ¶
func (m *RollbackManager) Rollback(path string) error
Rollback is used to trigger an immediate rollback of the path, or to join an existing rollback operation if in flight.
func (*RollbackManager) Stop ¶
func (m *RollbackManager) Stop()
Stop stops the running manager. This will wait for any in-flight rollbacks to complete.
type Router ¶
type Router struct {
// contains filtered or unexported fields
}
Router is used to do prefix based routing of a request to a logical backend
func (*Router) MatchingBackend ¶ added in v0.3.0
MatchingMountEntry returns the MountEntry used for a path
func (*Router) MatchingMount ¶
MatchingMount returns the mount prefix that would be used for a path
func (*Router) MatchingMountEntry ¶ added in v0.3.0
func (r *Router) MatchingMountEntry(path string) *MountEntry
MatchingMountEntry returns the MountEntry used for a path
func (*Router) MatchingStorageView ¶ added in v0.3.0
func (r *Router) MatchingStorageView(path string) *BarrierView
MatchingView returns the view used for a path
func (*Router) MatchingSystemView ¶ added in v0.3.0
func (r *Router) MatchingSystemView(path string) logical.SystemView
MatchingSystemView returns the SystemView used for a path
func (*Router) Mount ¶
func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, storageView *BarrierView) error
Mount is used to expose a logical backend at a given prefix, using a unique salt, and the barrier view for that path.
func (*Router) RouteExistenceCheck ¶ added in v0.5.0
Route is used to route a given existence check request
func (*Router) Taint ¶
Taint is used to mark a path as tainted. This means only RollbackOperation RenewOperation requests are allowed to proceed
type SealConfig ¶
type SealConfig struct { // split into. This is the N value of Shamir. SecretShares int `json:"secret_shares"` // PGPKeys is the array of public PGP keys used, // if requested, to encrypt the output unseal tokens. If // provided, it sets the value of SecretShares. Ordering // is important. PGPKeys []string `json:"pgp_keys"` // SecretThreshold is the number of parts required // to open the vault. This is the T value of Shamir SecretThreshold int `json:"secret_threshold"` // Nonce is a nonce generated by Vault used to ensure that when unseal keys // are submitted for a rekey operation, the rekey operation itself is the // one intended. This prevents hijacking of the rekey operation, since it // is unauthenticated. Nonce string `json:"nonce"` // Backup indicates whether or not a backup of PGP-encrypted unseal keys // should be stored at coreUnsealKeysBackupPath after successful rekeying. Backup bool `json:"backup"` }
SealConfig is used to describe the seal configuration
func (*SealConfig) Validate ¶
func (s *SealConfig) Validate() error
Validate is used to sanity check the seal configuration
type SecurityBarrier ¶
type SecurityBarrier interface { // Initialized checks if the barrier has been initialized // and has a master key set. Initialized() (bool, error) // Initialize works only if the barrier has not been initialized // and makes use of the given master key. Initialize([]byte) error // GenerateKey is used to generate a new key GenerateKey() ([]byte, error) // KeyLength is used to sanity check a key KeyLength() (int, int) // Sealed checks if the barrier has been unlocked yet. The Barrier // is not expected to be able to perform any CRUD until it is unsealed. Sealed() (bool, error) // Unseal is used to provide the master key which permits the barrier // to be unsealed. If the key is not correct, the barrier remains sealed. Unseal(key []byte) error // VerifyMaster is used to check if the given key matches the master key VerifyMaster(key []byte) error // ReloadKeyring is used to re-read the underlying keyring. // This is used for HA deployments to ensure the latest keyring // is present in the leader. ReloadKeyring() error // ReloadMasterKey is used to re-read the underlying masterkey. // This is used for HA deployments to ensure the latest master key // is available for keyring reloading. ReloadMasterKey() error // Seal is used to re-seal the barrier. This requires the barrier to // be unsealed again to perform any further operations. Seal() error // Rotate is used to create a new encryption key. All future writes // should use the new key, while old values should still be decryptable. Rotate() (uint32, error) // CreateUpgrade creates an upgrade path key to the given term from the previous term CreateUpgrade(term uint32) error // DestroyUpgrade destroys the upgrade path key to the given term DestroyUpgrade(term uint32) error // CheckUpgrade looks for an upgrade to the current term and installs it CheckUpgrade() (bool, uint32, error) // ActiveKeyInfo is used to inform details about the active key ActiveKeyInfo() (*KeyInfo, error) // Rekey is used to change the master key used to protect the keyring Rekey([]byte) error // SecurityBarrier must provide the storage APIs BarrierStorage }
SecurityBarrier is a critical component of Vault. It is used to wrap an untrusted physical backend and provide a single point of encryption, decryption and checksum verification. The goal is to ensure that any data written to the barrier is confidential and that integrity is preserved. As a real-world analogy, this is the steel and concrete wrapper around a Vault. The barrier should only be Unlockable given its key.
type SystemBackend ¶
SystemBackend implements logical.Backend and is used to interact with the core of the system. This backend is hardcoded to exist at the "sys" prefix. Conceptually it is similar to procfs on Linux.
type TokenEntry ¶
type TokenEntry struct { ID string // ID of this entry, generally a random UUID Parent string // Parent token, used for revocation trees Policies []string // Which named policies should be used Path string // Used for audit trails, this is something like "auth/user/login" Meta map[string]string // Used for auditing. This could include things like "source", "user", "ip" DisplayName string // Used for operators to be able to associate with the source NumUses int // Used to restrict the number of uses (zero is unlimited). This is to support one-time-tokens (generalized). CreationTime int64 // Time of token creation TTL time.Duration // Duration set when token was created }
TokenEntry is used to represent a given token
type TokenStore ¶
TokenStore is used to manage client tokens. Tokens are used for clients to authenticate, and each token is mapped to an applicable set of policy which is used for authorization.
func NewTokenStore ¶
func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
NewTokenStore is used to construct a token store that is backed by the given barrier view.
func (*TokenStore) Lookup ¶
func (ts *TokenStore) Lookup(id string) (*TokenEntry, error)
Lookup is used to find a token given its ID
func (*TokenStore) Revoke ¶
func (ts *TokenStore) Revoke(id string) error
Revoke is used to invalidate a given token, any child tokens will be orphaned.
func (*TokenStore) RevokeTree ¶
func (ts *TokenStore) RevokeTree(id string) error
RevokeTree is used to invalide a given token and all child tokens.
func (*TokenStore) SaltID ¶
func (ts *TokenStore) SaltID(id string) string
SaltID is used to apply a salt and hash to an ID to make sure its not reversable
func (*TokenStore) SetExpirationManager ¶
func (ts *TokenStore) SetExpirationManager(exp *ExpirationManager)
SetExpirationManager is used to provide the token store with an expiration manager. This is used to manage prefix based revocation of tokens and to cleanup entries when removed from the token store.
func (*TokenStore) UseToken ¶
func (ts *TokenStore) UseToken(te *TokenEntry) error
UseToken is used to manage restricted use tokens and decrement their available uses.
Source Files ¶
- acl.go
- audit.go
- auth.go
- barrier.go
- barrier_aes_gcm.go
- barrier_view.go
- core.go
- dynamic_system_view.go
- expiration.go
- generate_root.go
- keyring.go
- logical_cubbyhole.go
- logical_passthrough.go
- logical_system.go
- logical_system_helpers.go
- mount.go
- policy.go
- policy_store.go
- rekey.go
- rollback.go
- router.go
- testing.go
- token_store.go
- util.go