Documentation ¶
Overview ¶
Package api provides request and response types for interacting with the SecretHub API.
Index ¶
- Constants
- Variables
- func GetFingerprint(t CredentialType, verifier []byte) string
- func Int(val int) *int
- func IntValue(val *int) int
- func IsErrNotFound(err error) bool
- func JoinPaths(components ...string) string
- func String(val string) *string
- func StringValue(val *string) string
- func ValidateAccountName(name string) error
- func ValidateBlindName(blindName string) error
- func ValidateCredentialDescription(description string) error
- func ValidateCredentialFingerprint(fingerprint string) error
- func ValidateDirPath(path string) error
- func ValidateEmail(email string) error
- func ValidateFullName(fullName string) error
- func ValidateGCPKMSKeyResourceID(v string) error
- func ValidateGCPServiceAccountEmail(v string) error
- func ValidateNamespace(namespace string) error
- func ValidateOrgDescription(description string) error
- func ValidateOrgName(name string) error
- func ValidateOrgRole(role string) error
- func ValidateRepoName(name string) error
- func ValidateRepoPath(path string) error
- func ValidateSecretName(name string) error
- func ValidateSecretPath(path string) error
- func ValidateServiceDescription(description string) error
- func ValidateServiceID(serviceID string) error
- func ValidateShortCredentialFingerprint(fingerprint string) error
- func ValidateUsername(username string) error
- type AccessLevel
- type AccessRule
- type Account
- type AccountName
- type Audit
- type AuditAction
- type AuditActor
- type AuditSubject
- type AuditSubjectType
- type AuditSubjectTypeList
- type AuthPayloadAWSSTS
- type AuthPayloadGCPServiceAccount
- type AuthRequest
- type BlindNamePath
- type CreateAccessRuleRequest
- type CreateAccountKeyRequest
- type CreateCredentialRequest
- type CreateDirRequest
- type CreateFederatedUserRequest
- type CreateOrgMemberRequest
- type CreateOrgRequest
- type CreateRepoMemberRequest
- type CreateRepoRequest
- type CreateSecretKeyRequest
- type CreateSecretRequest
- type CreateSecretVersionRequest
- type CreateServiceRequest
- type CreateUserRequest
- type Credential
- type CredentialProofAWS
- type CredentialProofBackupCode
- type CredentialProofGCPServiceAccount
- type CredentialProofKey
- type CredentialType
- type Dir
- type DirPath
- func (dp DirPath) BlindName(key *crypto.SymmetricKey) (string, error)
- func (dp DirPath) GetDirName() string
- func (dp DirPath) GetNamespace() string
- func (dp DirPath) GetParentPath() (ParentPath, error)
- func (dp DirPath) GetRepo() string
- func (dp DirPath) GetRepoPath() RepoPath
- func (dp DirPath) HasParentDirectory() bool
- func (dp DirPath) IsRepoPath() bool
- func (dp DirPath) JoinDir(dirName string) DirPath
- func (dp DirPath) JoinSecret(secretName string) SecretPath
- func (dp *DirPath) Set(value string) error
- func (dp DirPath) String() string
- func (dp DirPath) Validate() error
- func (dp DirPath) Value() string
- type EncryptedAccountKey
- type EncryptedData
- func NewEncryptedDataAESGCM(ciphertext, nonce []byte, nonceLength int, key interface{}) *EncryptedData
- func NewEncryptedDataAWSKMS(ciphertext []byte, key *EncryptionKeyAWS) *EncryptedData
- func NewEncryptedDataGCPKMS(ciphertext []byte, key *EncryptionKeyGCP) *EncryptedData
- func NewEncryptedDataRSAOAEP(ciphertext []byte, hashingAlgorithm HashingAlgorithm, key interface{}) *EncryptedData
- type EncryptedDataAESGCM
- type EncryptedDir
- type EncryptedKeyRequest
- type EncryptedNameForNodeRequest
- type EncryptedNameRequest
- type EncryptedSecret
- type EncryptedSecretKey
- type EncryptedSecretVersion
- type EncryptedTree
- type EncryptionAlgorithm
- type EncryptionKey
- type EncryptionKeyAWS
- type EncryptionKeyAccountKey
- type EncryptionKeyBootstrapCode
- type EncryptionKeyDerived
- type EncryptionKeyEncrypted
- type EncryptionKeyGCP
- type EncryptionKeyLocal
- type EncryptionKeySecretKey
- type EncryptionMetadataAESGCM
- type EncryptionParametersAESGCM
- type EncryptionParametersRSAOAEP
- type HashingAlgorithm
- type InviteUserRequest
- type KeyDerivationAlgorithm
- type KeyDerivationMetadataScrypt
- type KeyDerivationParametersScrypt
- type KeyType
- type Namespace
- type NamespaceDetails
- type Org
- type OrgMember
- type OrgName
- type ParentPath
- type Path
- func (p Path) HasVersion() bool
- func (p *Path) Set(value string) error
- func (p Path) String() string
- func (p Path) ToDirPath() (DirPath, error)
- func (p Path) ToNamespace() (Namespace, error)
- func (p Path) ToRepoPath() (RepoPath, error)
- func (p Path) ToSecretPath() (SecretPath, error)
- func (p *Path) Validate() error
- type Permission
- type Repo
- type RepoKeys
- type RepoMember
- type RepoPath
- func (rp RepoPath) BlindName(key *crypto.SymmetricKey) (string, error)
- func (rp RepoPath) GetDirPath() DirPath
- func (rp RepoPath) GetNamespace() string
- func (rp RepoPath) GetNamespaceAndRepoName() (string, string)
- func (rp RepoPath) GetRepo() string
- func (rp RepoPath) GetRepoPath() RepoPath
- func (rp *RepoPath) Set(value string) error
- func (rp RepoPath) String() string
- func (rp RepoPath) Validate() error
- func (rp RepoPath) Value() string
- type RevokeOpts
- type RevokeOrgResponse
- type RevokeRepoResponse
- type RevokeResponse
- type Secret
- type SecretAccessRequest
- type SecretKey
- type SecretKeyMemberRequest
- type SecretPath
- func (sp SecretPath) AddVersion(version int) (SecretPath, error)
- func (sp SecretPath) BlindName(key *crypto.SymmetricKey) (string, error)
- func (sp SecretPath) GetNamespace() string
- func (sp SecretPath) GetParentPath() (ParentPath, error)
- func (sp SecretPath) GetRepo() string
- func (sp SecretPath) GetRepoPath() RepoPath
- func (sp SecretPath) GetSecret() string
- func (sp SecretPath) GetVersion() (string, error)
- func (sp SecretPath) HasVersion() bool
- func (sp *SecretPath) Set(value string) error
- func (sp SecretPath) String() string
- func (sp SecretPath) Validate() error
- func (sp SecretPath) Value() string
- type SecretVersion
- type Service
- type Session
- type SessionHMAC
- type SessionPayloadHMAC
- type SessionType
- type SortAccessLevels
- type SortAccessRules
- type SortDirByName
- type SortDirPaths
- type SortOrgByName
- type SortOrgMemberByUsername
- type SortRepoByName
- type SortSecretByName
- type Tree
- type UpdateAccessRuleRequest
- type UpdateCredentialRequest
- type UpdateOrgMemberRequest
- type User
Constants ¶
const ( AuditSubjectAccount = "account" AuditSubjectUser = "user" AuditSubjectService = "service" AuditSubjectSecret = "secret" AuditSubjectSecretVersion = "secret_version" AuditSubjectSecretKey = "secret_key" AuditSubjectSecretMember = "permission" AuditSubjectRepo = "repo" AuditSubjectRepoMember = "repo_member" AuditSubjectRepoKey = "repo_key" )
The different options for an AuditSubjectType.
const ( AuthMethodAWSSTS = "aws-sts" AuthMethodGCPServiceAccount = "gcp-service-account" )
AuthMethod options
const ( CredentialMetadataAWSKMSKey = "aws_kms_key_id" CredentialMetadataAWSRole = "aws_role" CredentialMetadataGCPKMSKeyResourceID = "gcp_kms_resource_id" CredentialMetadataGCPServiceAccountEmail = "gcp_service_account_email" )
Credential metadata keys
const ( EncryptionAlgorithmAESGCM EncryptionAlgorithm = "aes-gcm" EncryptionAlgorithmRSAOEAP EncryptionAlgorithm = "rsa-oaep" EncryptionAlgorithmAWSKMS EncryptionAlgorithm = "aws-kms" EncryptionAlgorithmGCPKMS EncryptionAlgorithm = "gcp-kms" HashingAlgorithmSHA256 HashingAlgorithm = "sha-256" )
Supported values for EncryptionAlgorithm.
const ( OrgRoleAdmin = "admin" OrgRoleMember = "member" )
Roles
const ( // StatusOK signals everything is in order. StatusOK = "ok" // StatusFlagged signals that a resource should be considered compromised and should be rotated/no longer used. StatusFlagged = "flagged" // StatusFailed signals that revocation cannot complete. StatusFailed = "failed" )
Status Constants
const (
// CredentialProofPrefixAWS is the prefix to use in AWS STS proof plaintext.
CredentialProofPrefixAWS = "secrethub-allow-role="
)
const ( // MaxEncryptedSecretSize is the maximum size of EncryptedSecretVersion.EncryptedData. MaxEncryptedSecretSize = (512*4/3 + 5) * units.KiB // 512 KiB corrected for base64 overhead (4/3) and metadata )
const (
ShortCredentialFingerprintMinimumLength = 10
)
Variables ¶
var ( ErrInvalidAccountName = errAPI.Code("invalid_account_name").Error("An account name either needs to be an username or a servicename") ErrInvalidKeyID = errAPI.Code("invalid_key_id").Error("id of the provided account key is invalid") ServiceNamePrefix = "s-" )
Errors
var ( ErrAccountNotKeyed = errAPI.Code("account_not_keyed").StatusError("User has not yet keyed their account", http.StatusBadRequest) ErrAccountKeyNotFound = errAPI.Code("account_key_not_found").StatusError("User has not yet keyed their account", http.StatusNotFound) ErrIllegalKeyVersion = errHub.Code("illegal_key_version").StatusError("key_version should be either v1 or v2", http.StatusBadRequest) )
Errors
var ( ErrInvalidSecretID = errAPI.Code("invalid_secret_id").StatusError("invalid secret id", http.StatusBadRequest) ErrInvalidDirID = errAPI.Code("invalid_dir_id").StatusError("invalid directory id", http.StatusBadRequest) ErrAccessRuleAlreadyExists = errAPI.Code("access_rule_already_exists").StatusError("access rule already exists", http.StatusConflict) ErrAccessRuleNotFound = errAPI.Code("access_rule_not_found").StatusError("access rule not found", http.StatusNotFound) )
Errors
var ( ErrInvalidSessionType = errAPI.Code("invalid_session_type").StatusError("invalid session type provided for authentication request", http.StatusBadRequest) ErrInvalidPayload = errAPI.Code("invalid_payload").StatusError("invalid payload provided for authentication request", http.StatusBadRequest) ErrInvalidAuthMethod = errAPI.Code("invalid_auth_method").StatusError("invalid auth method", http.StatusBadRequest) ErrMissingField = errAPI.Code("missing_field").StatusErrorPref("request is missing field %s", http.StatusBadRequest) ErrSessionNotFound = errAPI.Code("session_not_found").StatusError("session could not be found, it might have expired", http.StatusForbidden) ErrSessionExpired = errAPI.Code("session_expired").StatusError("session has expired", http.StatusForbidden) ErrAuthFailed = errAPI.Code("auth_failed").StatusError("authentication failed", http.StatusForbidden) )
Errors
var ( ErrCouldNotGetEndpoint = errAPI.Code("aws_endpoint_not_found").StatusError("could not find an AWS endpoint for the provided region", http.StatusBadRequest) ErrAWSException = errAPI.Code("aws_exception").StatusError("encountered an unexpected problem while verifying your identity on AWS. Please try again later.", http.StatusFailedDependency) ErrNoServiceWithRole = errAPI.Code("no_service_with_role").StatusErrorPref("no service account found that is linked to the IAM role '%s'", http.StatusNotFound) ErrNoAWSCredentials = errAPI.Code("missing_aws_credentials").StatusError("request was not signed with AWS credentials", http.StatusUnauthorized) ErrInvalidAWSCredentials = errAPI.Code("invalid_aws_credentials").StatusError("credentials were not accepted by AWS", http.StatusUnauthorized) )
Errors
var ( ErrInvalidGCPIDToken = errAPI.Code("invalid_id_token").StatusError("provided id_token is invalid", http.StatusBadRequest) ErrNoGCPServiceWithEmail = errAPI.Code("no_service_with_email").StatusErrorPref("no service account found that is linked to the GCP Service Account %s'", http.StatusUnauthorized) )
Errors
var ( ErrUnknownAlgorithm = errAPI.Code("unknown_algorithm").Error("algorithm of the encoded ciphertext is invalid") ErrInvalidCiphertext = errAPI.Code("invalid_ciphertext").Error("cannot encode invalid ciphertext") ErrInvalidMetadata = errAPI.Code("invalid_metadata").Error("metadata of encrypted key is invalid") )
Errors These will be removed after the next server-release, as they are then no longer returned from the server.
var ( ErrInvalidFingerprint = errAPI.Code("invalid_fingerprint").StatusError("fingerprint is invalid", http.StatusBadRequest) ErrTooShortFingerprint = errAPI.Code("too_short_fingerprint").StatusErrorf("at least %d characters of the fingerprint must be entered", http.StatusBadRequest, ShortCredentialFingerprintMinimumLength) ErrCredentialFingerprintNotUnique = errAPI.Code("fingerprint_not_unique").StatusErrorf("there are multiple credentials that start with the given fingerprint. Please use the full fingerprint", http.StatusConflict) ErrInvalidVerifier = errAPI.Code("invalid_verifier").StatusError("verifier is invalid", http.StatusBadRequest) ErrInvalidCredentialType = errAPI.Code("invalid_credential_type").StatusError("credential type is invalid", http.StatusBadRequest) ErrInvalidCredentialDescription = errAPI.Code("invalid_credential_description").StatusError("credential description can be at most 32 characters long", http.StatusBadRequest) ErrInvalidAWSEndpoint = errAPI.Code("invalid_aws_endpoint").StatusError("invalid AWS endpoint provided", http.StatusBadRequest) ErrInvalidProof = errAPI.Code("invalid_proof").StatusError("invalid proof provided for credential", http.StatusUnauthorized) ErrAWSAccountMismatch = errAPI.Code("aws_account_mismatch").StatusError("the AWS Account ID in the role ARN does not match the AWS Account ID of the AWS credentials used for authentication. Make sure you are using AWS credentials that correspond to the role you are trying to add.", http.StatusUnauthorized) ErrAWSAuthFailed = errAPI.Code("aws_auth_failed").StatusError("authentication not accepted by AWS", http.StatusUnauthorized) ErrAWSKMSKeyNotFound = errAPI.Code("aws_kms_key_not_found").StatusError("could not found the KMS key", http.StatusNotFound) ErrInvalidRoleARN = errAPI.Code("invalid_role_arn").StatusError("provided role is not a valid ARN", http.StatusBadRequest) ErrMissingMetadata = errAPI.Code("missing_metadata").StatusErrorPref("expecting %s metadata provided for credentials of type %s", http.StatusBadRequest) ErrInvalidMetadataValue = errAPI.Code("invalid_metadata").StatusErrorPref("invalid value for metadata %s: %s", http.StatusBadRequest) ErrUnknownMetadataKey = errAPI.Code("unknown_metadata_key").StatusErrorPref("unknown metadata key: %s", http.StatusBadRequest) ErrRoleDoesNotMatch = errAPI.Code("role_does_not_match").StatusError("role in metadata does not match the verifier", http.StatusBadRequest) ErrGCPServiceAccountEmailDoesNotMatch = errAPI.Code("service_account_email_mismatch").StatusError("service account email in metadata does not match the verifier", http.StatusBadRequest) ErrCannotDisableCurrentCredential = errAPI.Code("cannot_disable_current_credential").StatusError("cannot disable the credential that is currently used on this device", http.StatusConflict) )
Errors
var ( ErrInvalidDirName = errAPI.Code("invalid_dir_name").StatusError( "directory names must be between 2 and 32 characters long and "+ "may only contain letters, numbers, dashes (-), underscores (_), and dots (.)", http.StatusBadRequest, ) ErrInvalidDirBlindName = errAPI.Code("invalid_dir_blind_name").StatusErrorf("directory blind name is invalid: %s", http.StatusBadRequest, ErrInvalidBlindName) ErrInvalidParentBlindName = errAPI.Code("invalid_parent_blind_name").StatusErrorf("directory parent blind name is invalid: %s", http.StatusBadRequest, ErrInvalidBlindName) )
Errors
var ( ErrInvalidEncryptionAlgorithm = errAPI.Code("invalid_encryption_algorithm").Error("invalid encryption algorithm provided") ErrInvalidKeyType = errAPI.Code("invalid_key_type").Error("invalid key type") ErrKeyAlgorithmMismatch = errAPI.Code("key_algorithm_mismatch").Error("mismatch between algorithm and key type") ErrInvalidKeyLength = errAPI.Code("invalid_key_length").Error("key length value is invalid") ErrInvalidKeyDerivationAlgorithm = errAPI.Code("invalid_key_derivation_algorithm").Error("invalid key derivation algorithm") )
Errors
var ( ErrInvalidNonceLength = errAPI.Code("invalid_nonce_length").Error("invalid nonce length provided") ErrInvalidHashingAlgorithm = errAPI.Code("invalid_hashing_algorithm").Error("invalid hashing algorithm provided") )
Errors
var ( ErrInvalidSecretPath = errAPI.Code("invalid_secret_path").ErrorPref("secret path must be of the form <namespace>/<repo>[/<dir-path>]/<secret> got '%s'") ErrInvalidRepoPath = errAPI.Code("invalid_repo_path").ErrorPref("repo path must be of the form <namespace>/<repo> got '%s'") ErrInvalidDirPath = errAPI.Code("invalid_dir_path").ErrorPref("dir path must be of the form <namespace>/<repo>[/<dir-path>] got '%s'") ErrInvalidNamespace = errAPI.Code("invalid_namespace").Error("namespace must be a valid username") ErrInvalidPath = errAPI.Code("invalid_path").Error("path is not a reference to a namespace, a repository, a directory, or a secret") ErrInvalidPathType = errAPI.Code("invalid_path_type").Error("using an unknown path type") ErrPathAlreadyHasVersion = errAPI.Code("path_already_has_version").Error("this secret path already has a version") ErrPathHasNoVersion = errAPI.Code("path_has_no_version").Error("this secret path requires a version") ErrParentPathOnInvalidPath = errAPI.Code("parent_path_on_invalid_path").ErrorPref("retrieving a parent path on an invalid path: %s") )
Errors
var ( ErrInvalidOrgName = errAPI.Code("invalid_org_name").StatusError( "organization names must be between 3 and 32 characters long and "+ "may only contain letters, numbers, dashes (-), underscores (_), and dots (.)", http.StatusBadRequest, ) ErrOrgNameMustContainAlphanumeric = errAPI.Code("org_name_must_contain_alphanumeric").StatusError( "organization names must contain at least one alphanumeric character ", http.StatusBadRequest, ) ErrInvalidDescription = errAPI.Code("invalid_description").StatusError( "descriptions have a maximum length of 144 characters "+ "and may only contain (special) letters, numbers, spaces, and punctuation characters", http.StatusBadRequest, ) ErrInvalidBlindName = errAPI.Code("invalid_blind_name").StatusError("The blind name is not a 256 bits string encoded with URL safe base64", http.StatusBadRequest) ErrInvalidDirPermission = errAPI.Code("invalid_dir_permission").StatusError( "directory permission may only consist of up to 3 unique letters r (read), w (write), and a (admin)", http.StatusBadRequest, ) ErrInvalidDirRole = errAPI.Code("invalid_dir_role").StatusError( "directory roles must be either read, write, or admin", http.StatusBadRequest, ) ErrInvalidCredentialFingerprint = errAPI.Code("invalid_credential_fingerprint").StatusError( "credential fingerprint must consist of 64 hexadecimal characters", http.StatusBadRequest, ) )
Errors
var ( ErrInvalidRepoName = errAPI.Code("invalid_repo_name").StatusError( "repo names must be between 1 and 32 characters long and "+ "may only contain letters, numbers, dashes (-), underscores (_), and dots (.)", http.StatusBadRequest, ) ErrInvalidRepoEncryptionKey = errAPI.Code("invalid_repo_encryption_key").StatusError("repo encryption key is invalid", http.StatusBadRequest) ErrInvalidRepoIndexKey = errAPI.Code("invalid_repo_index_key").StatusError("repo index key is invalid", http.StatusBadRequest) ErrInvalidAccountID = errAPI.Code("invalid_account_id").StatusError("account id is invalid", http.StatusBadRequest) ErrInvalidSecretMemberAccountID = errAPI.Code("invalid_secret_member_account_id").StatusError("account id of secret member does not correspond to the account id of the invited user", http.StatusBadRequest) ErrInvalidSecretKeyMemberAccountID = errAPI.Code("invalid_secret_key_member_account_id").StatusError("account id of secret key member does not correspond to the account id of the invited user", http.StatusBadRequest) ErrRepoMemberNotFound = errAPI.Code("repo_member_not_found").StatusError("repo member not found", http.StatusNotFound) ErrNoRootDir = errAPI.Code("no_root_dir").StatusError("there is no create dir request for the root directory", http.StatusBadRequest) ErrNoRepoMember = errAPI.Code("no_repo_member").StatusError("there is no create repo member request for the root directory", http.StatusBadRequest) )
Errors
var ( ErrInvalidSecretName = errAPI.Code("invalid_secret_name").StatusError( "secret names must be between 1 and 32 characters and "+ "may only contain letters, numbers, dashes (-), underscores (_), and dots (.)", http.StatusBadRequest, ) ErrInvalidSecretVersion = errAPI.Code("invalid_secret_version").StatusError( "secret version can only be positive numbers or latest", http.StatusBadRequest, ) ErrInvalidNodeID = errAPI.Code("invalid_node_id").StatusError("the node id is invalid", http.StatusBadRequest) ErrInvalidEncryptedSecretName = errAPI.Code("invalid_encrypted_secret_name").StatusError("invalid ciphertext for encrypted secret name", http.StatusBadRequest) ErrInvalidSecretBlindName = errAPI.Code("invalid_secret_blind_name").StatusError("secret blind name is invalid", http.StatusBadRequest) ErrInvalidSecretBlob = errAPI.Code("invalid_secret_blob").StatusError("secret blob is invalid", http.StatusBadRequest) ErrNoSecretMembers = errAPI.Code("no_secret_members").StatusError("no secret members added to write request", http.StatusBadRequest) ErrInvalidSecretKeyID = errAPI.Code("invalid_secret_key_id").StatusError("secret_key_id is invalid", http.StatusBadRequest) ErrNotEncryptedForAccounts = errAPI.Code("not_encrypted_for_accounts").StatusError("missing data encrypted for accounts", http.StatusBadRequest) ErrNotUniquelyEncryptedForAccounts = errAPI.Code("not_uniquely_encrypted_for_accounts").StatusError("not uniquely encrypted for accounts", http.StatusBadRequest) ErrCannotDeleteLastSecretVersion = errAPI.Code("cannot_delete_last_version").StatusError("Cannot delete the last version of a secret", http.StatusForbidden) )
Errors
var ( // General ErrNotFound = errHub.Code("not_found").StatusError("Not found", http.StatusNotFound) ErrValidationFailed = errHub.Code("validation_failed").StatusError("Validation errors", http.StatusExpectationFailed) ErrBadRequest = errHub.Code("bad_request").StatusError("Bad request", http.StatusBadRequest) ErrTimeout = errHub.Code("timeout").StatusError("Timeout", http.StatusInternalServerError) ErrUnknownMethod = errHub.Code("method_not_supported").StatusError("Method not supported", http.StatusNotImplemented) ErrDomainNotFound = errHub.Code("domain_not_found").StatusError("Domain not found", http.StatusNotFound) ErrForbidden = errAPI.Code("forbidden").StatusError("You are not allowed to perform this action", http.StatusForbidden) ErrRequestNotAuthenticated = errAPI.Code("not_authenticated").StatusError("Request was not authenticated. Please ensure that the client has access to a credential or that an identity provider is configured correctly.", http.StatusUnauthorized) ErrNoAccountKeyForCredential = errAPI.Code("no_account_key_for_credential").StatusError("Could not find account-key for credential used for authentication.", http.StatusInternalServerError) ErrCannotPerformActionOnSelf = errAPI.Code("cannot_perform_action_on_self").StatusError("You cannot perform this action on yourself", http.StatusForbidden) ErrYourAccountNotKeyed = errAPI.Code("account_not_keyed").StatusError("Your account has not been fully initialized", http.StatusBadRequest) // DB ErrDatabaseRecordAlreadyExists = errHub.Code("already_exists").StatusError("Already exists", http.StatusConflict) // Namespaces ErrNamespaceNotFound = errAPI.Code("namespace_not_found").StatusError("Namespace not found", http.StatusNotFound) ErrNamespaceAlreadyExists = errAPI.Code("namespace_already_exists").StatusError("this name already exists", http.StatusConflict) ErrCannotPerformActionOnPersonalNamespace = errAPI.Code("not_allowed_on_personal_namespace").StatusError("you cannot perform this action on a personal namespace", http.StatusForbidden) // Auth ErrAccountIncomplete = errHub.Code("account_incomplete").StatusError("This account is not registered, please create a user first", http.StatusForbidden) ErrTokenNotVerified = errHub.Code("token_not_verified").StatusError("Token not verified", http.StatusUnauthorized) ErrPasswordTooWeak = errHub.Code("password_too_weak").StatusError("The password must be longer than 8 characters", http.StatusBadRequest) ErrSignatureNotVerified = errHub.Code("invalid_signature").StatusError("request was not signed by a valid credential", http.StatusUnauthorized) // Repos ErrRepoNotFound = errHub.Code("repo_not_found").StatusErrorPref("Repo '%s' not found", http.StatusNotFound) ErrRepoAlreadyExists = errHub.Code("repo_already_exists").StatusError("Repo already exists, please create a different repo", http.StatusConflict) // Dirs ErrDirAlreadyExists = errHub.Code("dir_already_exists").StatusError("Directory or secret already exists, create a different directory", http.StatusConflict) ErrDirNotFound = errHub.Code("dir_not_found").StatusError("Directory not found", http.StatusNotFound) ErrParentDirNotFound = errHub.Code("parent_dir_not_found").StatusError("Parent directory not found", http.StatusNotFound) ErrCannotRemoveRootDir = errHub.Code("cannot_remove_root_dir").StatusError("Root directory of a repository cannot be removed, remove the repository instead", http.StatusBadRequest) // Secrets ErrSecretAlreadyExists = errHub.Code("secret_already_exists").StatusError("Secret or directory already exists, please update or create a different secret", http.StatusConflict) ErrSecretNotFound = errHub.Code("secret_not_found").StatusError("Secret not found", http.StatusNotFound) ErrSecretVersionNotFound = errHub.Code("version_not_found").StatusError("Version of secret not found", http.StatusNotFound) ErrSecretKeyNotFound = errHub.Code("secret_key_not_found").StatusError("Key for secret not found", http.StatusNotFound) // Secret Keys ErrSecretKeyFlagged = errAPI.Code("secret_key_flagged").StatusError(fmt.Sprintf("Cannot write new secrets with a key that has status %s", StatusFlagged), http.StatusBadRequest) ErrNoOKSecretKey = errAPI.Code("no_secret_key_found_with_status_ok").StatusError(fmt.Sprintf("No secret key found with status %s", StatusOK), http.StatusNotFound) // Organization ErrOrgAlreadyExists = errAPI.Code("org_already_exists").StatusError("Organization already exists, please create a different organization", http.StatusConflict) ErrOrgNotFound = errAPI.Code("org_not_found").StatusError("Organization not found", http.StatusNotFound) ErrOrgMemberNotFound = errAPI.Code("org_member_not_found").StatusError("Organization member not found", http.StatusNotFound) ErrOrgMemberAlreadyExists = errAPI.Code("org_member_already_exists").StatusError("Organization member already exists", http.StatusConflict) ErrInvalidOrgRole = errAPI.Code("invalid_org_role").StatusError("Organization role is invalid. Must be either `admin` or `member`", http.StatusBadRequest) ErrCannotRemoveLastOrgAdmin = errAPI.Code("cannot_remove_last_org_admin").StatusError("The last admin of an organization cannot be removed.", http.StatusForbidden) // User ErrUserEmailAlreadyExists = errHub.Code("user_email_already_exists").StatusError("That email address is already in use", http.StatusConflict) ErrUsernameAlreadyExists = errHub.Code("username_already_exists").StatusError("A user with the given username already exists, please choose a different username", http.StatusConflict) ErrUserNotFound = errHub.Code("user_not_found").StatusError("User not found, please verify username", http.StatusNotFound) ErrNotAUser = errHub.Code("not_a_user").StatusError("Only users can perform this action", http.StatusForbidden) ErrNotOwner = errHub.Code("not_owner").StatusError("Only repo owners can perform this action", http.StatusForbidden) ErrCannotAddYourself = errHub.Code("cannot_add_self").StatusError("You cannot add yourself to your repo", http.StatusForbidden) ErrCannotRemoveYourself = errHub.Code("cannot_remove_self").StatusError("You cannot remove yourself from your repo", http.StatusForbidden) // Service ErrServiceNotFound = errHub.Code("service_not_found").StatusError("Service not found", http.StatusNotFound) ErrAccountIsNotService = errHub.Code("not_a_service").StatusError("Account name does not represent a service", http.StatusBadRequest) ErrServiceAlreadyExists = errHub.Code("service_already_exists").StatusError("Service already exists, please create a different service", http.StatusConflict) ErrNoAdminAccess = errHub.Code("no_admin_access").StatusError("Only accounts with Admin access can perform this action", http.StatusForbidden) ErrMemberAlreadyExists = errHub.Code("member_already_exists").StatusError("The member already exists", http.StatusConflict) // Account ErrAccountNotFound = errHub.Code("account_not_found").StatusError("Account not found", http.StatusNotFound) ErrUnknownSubjectType = errHub.Code("unknown_subject_type").Error("Unknown subject type") // no status error because it is an internal error ErrUnknownAccountType = errHub.Code("unknown_account_type").Error("Unknown account type") // no status error because it is an internal error ErrNotMemberOfRepo = errHub.Code("not_repo_member").StatusError("Account is not a member of the repo", http.StatusBadRequest) // Credential ErrCredentialNotFound = errHub.Code("credential_not_found").StatusError("Credential not found", http.StatusNotFound) ErrCredentialAlreadyExists = errHub.Code("credential_already_exists").StatusError("A credential with the given identifier already exists", http.StatusConflict) // Account key ErrPublicAccountKeyConflict = errHub.Code("public_account_key_does_not_match").StatusError("A different public account key is already registered for this account", http.StatusConflict) ErrPrivateKeyAlreadyExists = errHub.Code("private_key_already_exists").StatusError("A private key for this credential already exists.", http.StatusConflict) ErrCredentialNotKeyed = errHub.Code("credential_not_keyed").StatusError("The account key has not been encrypted for this credential", http.StatusNotFound) // Dirs ErrCannotRemoveLastRootAdmin = errHub.Code("cannot_remove_last_root_admin").StatusError("Cannot remove the last admin on the repo root", http.StatusBadRequest) )
Errors returned by the SecretHub API
var ( ErrInvalidServiceID = errAPI.Code("invalid_service_id").StatusError( "service id is 14 characters long and starts with s-", http.StatusBadRequest, ) ErrInvalidServiceDescription = errAPI.Code("invalid_service_description").StatusError( fmt.Sprintf( "service descriptions can at most be %d long and cannot contain any newlines or tabs", serviceDescriptionMaxLength, ), http.StatusBadRequest, ) ErrAccessDeniedToKMSKey = errAPI.Code("access_denied").StatusError("access to KMS key is denied", http.StatusForbidden) )
Errors
var ( ErrParentDirNotAvailable = errAPI.Code("parent_dir_not_available").StatusError("the parent directory is not available in EncryptedTree", http.StatusInternalServerError) ErrMultipleRootDirs = errAPI.Code("multiple_root_dirs").StatusError("there are multiple root directories possible", http.StatusInternalServerError) )
Errors
var ( ErrInvalidUsername = errAPI.Code("invalid_username").StatusError( "usernames must be between 3 and 32 characters long and "+ "may only contain letters, numbers, dashes (-), underscores (_), and dots (.)", http.StatusBadRequest, ) ErrUsernameMustContainAlphanumeric = errAPI.Code("username_must_contain_alphanumeric").StatusError( "usernames must contain at least one alphanumeric character ", http.StatusBadRequest, ) ErrUsernameIsService = errAPI.Code("username_is_service").StatusError( "usernames cannot start with s- as that prefix is reserved for service accounts", http.StatusBadRequest, ) ErrInvalidPublicKey = errAPI.Code("invalid_public_key").StatusError("public key is invalid", http.StatusBadRequest) ErrInvalidEmail = errAPI.Code("invalid_email").StatusError("email address is invalid", http.StatusBadRequest) ErrInvalidFullName = errAPI.Code("invalid_full_name").StatusError( "full names may be at most 128 characters long and "+ "may only contain (special) letters, apostrophes ('), spaces and dashes (-)", http.StatusBadRequest, ) ErrNoPasswordNorCredential = errAPI.Code("no_password_nor_credential").StatusError("either a password or a credential should be supplied", http.StatusBadRequest) ErrTooManyVerificationRequests = errAPI.Code("too_many_verification_requests").StatusError("another verification email was requested recently, please wait a few minutes before trying again", http.StatusTooManyRequests) )
Errors
var (
ErrAccessLevelUnknown = errAPI.Code("access_level_unknown").Error("The access level is not known")
)
Error
var (
ErrEncryptedDataTooBig = errAPI.Code("encrypted_data_too_big").Error(fmt.Sprintf("maximum size of encrypted data is %s", units.BytesSize(MaxEncryptedSecretSize)))
)
Errors
Functions ¶
func GetFingerprint ¶ added in v0.21.0
func GetFingerprint(t CredentialType, verifier []byte) string
GetFingerprint returns the fingerprint of a credential.
func IsErrNotFound ¶ added in v0.21.0
IsErrNotFound returns whether the given error is caused by a un-existing resource.
func StringValue ¶ added in v0.21.0
StringValue safely converts a *string into a string.
func ValidateAccountName ¶
ValidateAccountName validates an AcccountName.
func ValidateBlindName ¶
ValidateBlindName validates a blind name.
func ValidateCredentialDescription ¶ added in v0.25.0
ValidateCredentialDescription validates the description for a credential.
func ValidateCredentialFingerprint ¶ added in v0.25.0
ValidateCredentialFingerprint validates whether the given string is a valid credential fingerprint.
func ValidateDirPath ¶
ValidateDirPath validates a dir path of form :owner/:repo_name/[parents/]*:directory
func ValidateEmail ¶
ValidateEmail validates an email address.
func ValidateFullName ¶
ValidateFullName validates a user's full name.
func ValidateGCPKMSKeyResourceID ¶ added in v0.29.0
ValidateGCPKMSKeyResourceID validates whether the given string is potentially a valid resource ID for a GCP KMS key The function does a best-effort check. If no error is returned, this does not mean the value is accepted by GCP.
func ValidateGCPServiceAccountEmail ¶ added in v0.29.0
ValidateGCPServiceAccountEmail validates whether the given string is potentially a valid email for a GCP Service Account. The function does a best-effort check. If no error is returned, this does not mean the value is accepted by GCP.
func ValidateNamespace ¶
ValidateNamespace validates a username.
func ValidateOrgDescription ¶
ValidateOrgDescription validates an organization description.
func ValidateOrgName ¶
ValidateOrgName validates an organization name.
func ValidateOrgRole ¶
ValidateOrgRole validates an organization role.
func ValidateRepoName ¶
ValidateRepoName validates a repo name.
func ValidateRepoPath ¶
ValidateRepoPath validates a repo path of form :owner/:repo_name
func ValidateSecretName ¶
ValidateSecretName validates a secret name.
func ValidateSecretPath ¶
ValidateSecretPath validates a secret path of form :owner/:repo_name/:secretname
func ValidateServiceDescription ¶
ValidateServiceDescription validates a service description.
func ValidateServiceID ¶
ValidateServiceID validates a service id.
func ValidateShortCredentialFingerprint ¶ added in v0.25.0
ValidateShortCredentialFingerprint validates whether the given string can be used as a short version of a credential fingerprint.
func ValidateUsername ¶
ValidateUsername validates a username.
Types ¶
type AccessLevel ¶
type AccessLevel struct { Account *Account `json:"account"` AccountID uuid.UUID `json:"account_id"` DirID uuid.UUID `json:"dir_id"` Permission Permission `json:"permission"` }
AccessLevel defines the permissions of an account on a directory and is the effect of one or more access rules on the directory itself or its parent(s).
type AccessRule ¶
type AccessRule struct { Account *Account `json:"account"` AccountID uuid.UUID `json:"account_id"` DirID uuid.UUID `json:"dir_id"` RepoID uuid.UUID `json:"repo_id"` Permission Permission `json:"permission"` CreatedAt time.Time `json:"created_at"` LastChangedAt time.Time `json:"last_changed_at"` }
AccessRule defines the permission of an account on a directory and its children.
type Account ¶
type Account struct { AccountID uuid.UUID `json:"account_id"` Name AccountName `json:"name"` PublicKey []byte `json:"public_key"` AccountType string `json:"account_type"` CreatedAt time.Time `json:"created_at"` }
Account represents an account on SecretHub.
type AccountName ¶
type AccountName string
AccountName represents the name of either a user or a service.
func NewAccountName ¶
func NewAccountName(name string) (AccountName, error)
NewAccountName validates an account's name and returns it as a typed AccountName when valid.
func (AccountName) IsService ¶
func (n AccountName) IsService() bool
IsService returns true if the AccountName contains the name of a service.
func (AccountName) IsUser ¶
func (n AccountName) IsUser() bool
IsUser returns true if the AccountName contains the name of a user.
func (*AccountName) Set ¶
func (n *AccountName) Set(value string) error
Set sets the AccountName to the value.
func (AccountName) String ¶
func (n AccountName) String() string
String returns the account's name as a string to be used for printing.
func (AccountName) Validate ¶
func (n AccountName) Validate() error
Validate checks whether an AccountName is valid.
func (AccountName) Value ¶
func (n AccountName) Value() string
Value returns the account's name as a string to be used in communication with the client and in transportation to the server.
type Audit ¶
type Audit struct { EventID uuid.UUID `json:"event_id"` Action AuditAction `json:"action"` IPAddress string `json:"ip_address"` LoggedAt time.Time `json:"logged_at"` Repo Repo `json:"repo"` Actor AuditActor `json:"actor"` Subject AuditSubject `json:"subject"` }
Audit represents an AuditEvent in SecretHub.
type AuditAction ¶
type AuditAction string
AuditAction represents the action that was performed to create this audit event.
const ( AuditActionUnknown AuditAction = "unknown" AuditActionCreate AuditAction = "create" AuditActionRead AuditAction = "read" AuditActionUpdate AuditAction = "update" AuditActionDelete AuditAction = "delete" )
AuditAction values.
type AuditActor ¶
type AuditActor struct { ActorID uuid.UUID `json:"id,omitempty"` Deleted bool `json:"deleted,omitempty"` // Type is `user` or `service`. When actor is deleted, type is always `account` Type string `json:"type"` User *User `json:"user,omitempty"` Service *Service `json:"service,omitempty"` }
AuditActor represents the Account of an AuditEvent
type AuditSubject ¶
type AuditSubject struct { SubjectID uuid.UUID `json:"id,omitempty"` Deleted bool `json:"deleted,omitempty"` // Type is `user`, `service`, `repo`, `secret`, `secret_version` or `secret_key`. When subject is deleted, user and service are indicated with type `account` Type AuditSubjectType `json:"type"` User *User `json:"user,omitempty"` Service *Service `json:"service,omitempty"` Repo *Repo `json:"repo,omitempty"` EncryptedSecret *EncryptedSecret `json:"encrypted_secret,omitempty"` // This is converted to a Secret by the Client. Secret *Secret `json:"secret,omitempty"` EncryptedSecretVersion *EncryptedSecretVersion `json:"encrypted_secret_version,omitempty"` // This is converted to a SecretVersion by the Client. SecretVersion *SecretVersion `json:"secret_version,omitempty"` }
AuditSubject represents the Subject of an AuditEvent
type AuditSubjectType ¶
type AuditSubjectType string
AuditSubjectType represents the type of an audit subject.
type AuditSubjectTypeList ¶
type AuditSubjectTypeList []AuditSubjectType
AuditSubjectTypeList represents a list of AuditSubjectTypes.
func (AuditSubjectTypeList) Join ¶
func (l AuditSubjectTypeList) Join(separator string) string
Join converts an AuditSubjectTypeList to a string where each AuditSubjectType is separated by separator.
type AuthPayloadAWSSTS ¶ added in v0.21.0
AuthPayloadAWSSTS is the authentication payload used for authenticating with AWS STS.
func (AuthPayloadAWSSTS) Validate ¶ added in v0.21.0
func (pl AuthPayloadAWSSTS) Validate() error
Validate whether the AuthPayloadAWSSTS is valid.
type AuthPayloadGCPServiceAccount ¶ added in v0.29.0
type AuthPayloadGCPServiceAccount struct {
IDToken string `json:"id_token"`
}
AuthPayloadGCPServiceAccount is the authentication payload used for authenticating with a GCP Service Account.
func (AuthPayloadGCPServiceAccount) Validate ¶ added in v0.29.0
func (pl AuthPayloadGCPServiceAccount) Validate() error
type AuthRequest ¶ added in v0.21.0
type AuthRequest struct { Method string `json:"method"` SessionType SessionType `json:"session_type"` Payload interface{} `json:"payload"` }
AuthRequest is a request to authenticate and request a session.
func NewAuthRequestAWSSTS ¶ added in v0.21.0
func NewAuthRequestAWSSTS(sessionType SessionType, region string, stsRequest []byte) AuthRequest
NewAuthRequestAWSSTS returns a new AuthRequest for authentication using AWS STS.
func NewAuthRequestGCPServiceAccount ¶ added in v0.29.0
func NewAuthRequestGCPServiceAccount(sessionType SessionType, idToken string) AuthRequest
NewAuthRequestGCPServiceAccount returns a new AuthRequest for authentication using a GCP Service Account.
func (*AuthRequest) UnmarshalJSON ¶ added in v0.21.0
func (r *AuthRequest) UnmarshalJSON(b []byte) error
UnmarshalJSON converts a JSON representation into a AuthRequest with the correct Payload.
func (*AuthRequest) Validate ¶ added in v0.21.0
func (r *AuthRequest) Validate() error
Validate whether an AuthRequest is a valid request.
type BlindNamePath ¶
type BlindNamePath interface { // BlindName returns the blindname corresponding to this path. BlindName(key *crypto.SymmetricKey) (string, error) // GetRepoPath returns the RepoPath inside this BlindNamePath. GetRepoPath() RepoPath }
BlindNamePath represents a path that can be converted into a BlindName and exposes the necessary functions.
type CreateAccessRuleRequest ¶
type CreateAccessRuleRequest struct { Permission Permission `json:"permission"` EncryptedDirs []EncryptedNameForNodeRequest `json:"encrypted_dirs"` EncryptedSecrets []SecretAccessRequest `json:"encrypted_secrets"` }
CreateAccessRuleRequest contains the request fields for creating an AccessRule.
func (*CreateAccessRuleRequest) Validate ¶
func (car *CreateAccessRuleRequest) Validate() error
Validate validates the request fields.
type CreateAccountKeyRequest ¶
type CreateAccountKeyRequest struct { EncryptedPrivateKey *EncryptedData `json:"encrypted_private_key"` PublicKey []byte `json:"public_key"` }
CreateAccountKeyRequest contains the fields to add an account_key encrypted for a credential.
func (CreateAccountKeyRequest) Validate ¶
func (req CreateAccountKeyRequest) Validate() error
Validate checks whether the request is valid.
type CreateCredentialRequest ¶
type CreateCredentialRequest struct { Type CredentialType `json:"type"` Fingerprint string `json:"fingerprint"` Description *string `json:"name,omitempty"` Verifier []byte `json:"verifier"` Proof interface{} `json:"proof"` Metadata map[string]string `json:"metadata"` AccountKey *CreateAccountKeyRequest `json:"account_key,omitempty"` }
CreateCredentialRequest contains the fields to add a credential to an account.
func (*CreateCredentialRequest) UnmarshalJSON ¶ added in v0.21.0
func (req *CreateCredentialRequest) UnmarshalJSON(b []byte) error
UnmarshalJSON converts a JSON representation into a CreateCredentialRequest with the correct Proof.
func (*CreateCredentialRequest) Validate ¶
func (req *CreateCredentialRequest) Validate() error
Validate validates the request fields.
type CreateDirRequest ¶
type CreateDirRequest struct { BlindName string `json:"blind_name"` ParentBlindName string `json:"parent_blind_name"` EncryptedNames []EncryptedNameRequest `json:"encrypted_names"` }
CreateDirRequest contains the request fields for creating a new directory.
func (*CreateDirRequest) Validate ¶
func (cdr *CreateDirRequest) Validate() error
Validate validates the CreateDirRequest to be valid.
type CreateFederatedUserRequest ¶
type CreateFederatedUserRequest struct {
Username string `json:"username"`
}
CreateFederatedUserRequest contains the required fields for signing up with a federated user
func (CreateFederatedUserRequest) Validate ¶
func (req CreateFederatedUserRequest) Validate() error
Validate validates the request fields.
type CreateOrgMemberRequest ¶
CreateOrgMemberRequest contains the required fields for creating a user's organization membership.
func (CreateOrgMemberRequest) Validate ¶
func (req CreateOrgMemberRequest) Validate() error
Validate validates the request fields.
type CreateOrgRequest ¶
CreateOrgRequest contains the required fields for creating an organization.
func (CreateOrgRequest) Validate ¶
func (req CreateOrgRequest) Validate() error
Validate validates the request fields.
type CreateRepoMemberRequest ¶
type CreateRepoMemberRequest struct { RepoEncryptionKey []byte `json:"repo_encryption_key"` RepoIndexKey []byte `json:"repo_index_key"` }
CreateRepoMemberRequest contains the required fields for adding a user to a repo.
func (CreateRepoMemberRequest) Validate ¶
func (req CreateRepoMemberRequest) Validate() error
Validate validates a CreateRepoMemberRequests
type CreateRepoRequest ¶
type CreateRepoRequest struct { Name string `json:"name"` RootDir *CreateDirRequest `json:"root_dir"` RepoMember *CreateRepoMemberRequest `json:"repo_member"` }
CreateRepoRequest contains the required fields for a Repo.
func (CreateRepoRequest) Validate ¶
func (crr CreateRepoRequest) Validate() error
Validate validates the request fields.
type CreateSecretKeyRequest ¶
type CreateSecretKeyRequest struct {
EncryptedFor []EncryptedKeyRequest `json:"encrypted_for"`
}
CreateSecretKeyRequest contains the request fields for creating a new secret key.
func (*CreateSecretKeyRequest) Validate ¶
func (r *CreateSecretKeyRequest) Validate() error
Validate validates the request fields.
type CreateSecretRequest ¶
type CreateSecretRequest struct { BlindName string `json:"blind_name"` EncryptedData crypto.CiphertextAES `json:"encrypted_data"` EncryptedNames []EncryptedNameRequest `json:"encrypted_names"` EncryptedKeys []EncryptedKeyRequest `json:"encrypted_keys"` }
CreateSecretRequest contains the request fields for creating a new secret, together with its first version, encrypted for accounts that need access.
func (*CreateSecretRequest) Validate ¶
func (csr *CreateSecretRequest) Validate() error
Validate validates the request fields.
type CreateSecretVersionRequest ¶
type CreateSecretVersionRequest struct { EncryptedData crypto.CiphertextAES `json:"encrypted_data"` SecretKeyID uuid.UUID `json:"secret_key_id"` }
CreateSecretVersionRequest contains the request fields for creating a secret version with a secret key.
func (*CreateSecretVersionRequest) Validate ¶
func (csvr *CreateSecretVersionRequest) Validate() error
Validate validates the request fields.
type CreateServiceRequest ¶
type CreateServiceRequest struct { Description string `json:"description"` Credential *CreateCredentialRequest `json:"credential"` AccountKey *CreateAccountKeyRequest `json:"account_key"` RepoMember *CreateRepoMemberRequest `json:"repo_member"` }
CreateServiceRequest contains the required fields for creating an Service.
func (CreateServiceRequest) Validate ¶
func (req CreateServiceRequest) Validate() error
Validate validates the request fields.
type CreateUserRequest ¶
type CreateUserRequest struct { Username string `json:"username"` Email string `json:"email"` FullName string `json:"full_name"` Password string `json:"password,omitempty"` Credential *CreateCredentialRequest `json:"credential,omitempty"` }
CreateUserRequest contains the required fields for signing up
func (*CreateUserRequest) Validate ¶
func (req *CreateUserRequest) Validate() error
Validate validates the request fields.
type Credential ¶
type Credential struct { AccountID uuid.UUID `json:"account_id"` Type CredentialType `json:"type"` CreatedAt time.Time `json:"created_at"` Fingerprint string `json:"fingerprint"` Description string `json:"description"` Verifier []byte `json:"verifier"` Metadata map[string]string `json:"metadata,omitempty"` Enabled bool `json:"enabled"` }
Credential is used to authenticate to the API and to encrypt the account key.
type CredentialProofAWS ¶ added in v0.21.0
CredentialProofAWS is proof for when the credential type is AWSSTS.
func (CredentialProofAWS) Validate ¶ added in v0.21.0
func (p CredentialProofAWS) Validate() error
Validate whether the CredentialProofAWS is valid.
type CredentialProofBackupCode ¶ added in v0.25.0
type CredentialProofBackupCode struct{}
CredentialProofBackupCode is proof for when the credential type is backup key.
type CredentialProofGCPServiceAccount ¶ added in v0.29.0
type CredentialProofGCPServiceAccount struct{}
CredentialProofKey is proof for when the credential type is GCPServiceAccount.
type CredentialProofKey ¶ added in v0.21.0
type CredentialProofKey struct{}
CredentialProofKey is proof for when the credential type is RSA.
type CredentialType ¶
type CredentialType string
CredentialType is used to identify the type of algorithm that is used for a credential.
const ( CredentialTypeKey CredentialType = "key" CredentialTypeAWS CredentialType = "aws" CredentialTypeBackupCode CredentialType = "backup-code" CredentialTypeGCPServiceAccount CredentialType = "gcp-service-account" )
Credential types
type Dir ¶
type Dir struct { DirID uuid.UUID `json:"dir_id"` BlindName string `json:"blind_name"` Name string `json:"name"` ParentID *uuid.UUID `json:"parent_id"` Status string `json:"status"` CreatedAt time.Time `json:"created_at"` LastModifiedAt time.Time `json:"last_modified_at"` SubDirs []*Dir `json:"sub_dirs"` Secrets []*Secret `json:"secrets"` }
Dir represents an directory. A dir belongs to a repo and contains other dirs and secrets.
type DirPath ¶
type DirPath ParentPath
DirPath is a parse for dir paths of form :owner/:repo_name/[parents/]*:directory
func NewDirPath ¶
NewDirPath formats a RepoPath from an owner, repo string.
func (DirPath) BlindName ¶
func (dp DirPath) BlindName(key *crypto.SymmetricKey) (string, error)
BlindName returns the blind name of the DirPath.
func (DirPath) GetNamespace ¶
GetNamespace returns the namespace of the Repo.
func (DirPath) GetParentPath ¶
func (dp DirPath) GetParentPath() (ParentPath, error)
GetParentPath returns the parent of the directory.
func (DirPath) GetRepoPath ¶
GetRepoPath returns the namespace and repo name of the Repo.
func (DirPath) HasParentDirectory ¶
HasParentDirectory returns if the DirPath has a parent directory.
func (DirPath) IsRepoPath ¶
IsRepoPath returns if the dir path is on repo level.
func (DirPath) JoinSecret ¶
func (dp DirPath) JoinSecret(secretName string) SecretPath
JoinSecret constructs a new SecretPath combined by the dirPath and dirName.
type EncryptedAccountKey ¶
type EncryptedAccountKey struct { Account *Account `json:"account"` PublicKey []byte `json:"public_key"` EncryptedPrivateKey *EncryptedData `json:"encrypted_private_key"` Credential *Credential `json:"credential"` }
EncryptedAccountKey represents an account key encrypted with a credential.
type EncryptedData ¶ added in v0.21.0
type EncryptedData struct { Algorithm EncryptionAlgorithm `json:"algorithm"` Key interface{} `json:"key"` Parameters interface{} `json:"parameters,omitempty"` Metadata interface{} `json:"metadata,omitempty"` Ciphertext []byte `json:"ciphertext"` }
EncryptedData contains data that is encrypted with an algorithm described by Algorithm. If the encryption method requires metadata, this is contained in Metadata.
func NewEncryptedDataAESGCM ¶ added in v0.21.0
func NewEncryptedDataAESGCM(ciphertext, nonce []byte, nonceLength int, key interface{}) *EncryptedData
NewEncryptedDataAESGCM creates a new EncryptedData with the AES-GCM algorithm.
func NewEncryptedDataAWSKMS ¶ added in v0.21.0
func NewEncryptedDataAWSKMS(ciphertext []byte, key *EncryptionKeyAWS) *EncryptedData
NewEncryptedDataAWSKMS creates a new EncryptedData with the AWS-KMS algorithm.
func NewEncryptedDataGCPKMS ¶ added in v0.29.0
func NewEncryptedDataGCPKMS(ciphertext []byte, key *EncryptionKeyGCP) *EncryptedData
NewEncryptedDataAWSKMS creates a new EncryptedData with the GCP-KMS algorithm.
func NewEncryptedDataRSAOAEP ¶ added in v0.21.0
func NewEncryptedDataRSAOAEP(ciphertext []byte, hashingAlgorithm HashingAlgorithm, key interface{}) *EncryptedData
NewEncryptedDataRSAOAEP creates a new EncryptedData with the RSA-OAEP algorithm.
func (*EncryptedData) AESGCM ¶ added in v0.25.0
func (ed *EncryptedData) AESGCM() (*EncryptedDataAESGCM, error)
AESGCM casts the EncryptedData to EncryptedDataAESGCM. Returns an error if the EncryptedData does not have AESGCM as its algorithm.
func (*EncryptedData) UnmarshalJSON ¶ added in v0.21.0
func (ed *EncryptedData) UnmarshalJSON(b []byte) error
UnmarshalJSON populates an EncryptedData from a JSON representation.
func (*EncryptedData) Validate ¶ added in v0.21.0
func (ed *EncryptedData) Validate() error
Validate whether the EncryptedData is valid.
type EncryptedDataAESGCM ¶ added in v0.25.0
type EncryptedDataAESGCM struct { Key interface{} Parameters EncryptionParametersAESGCM Metadata EncryptionMetadataAESGCM Ciphertext []byte }
EncryptedDataAESGCM is a typed EncryptedData for the AESGCM algorithm.
type EncryptedDir ¶
type EncryptedDir struct { DirID uuid.UUID `json:"dir_id"` BlindName string `json:"blind_name"` EncryptedName crypto.CiphertextRSA `json:"encrypted_name"` ParentID *uuid.UUID `json:"parent_id"` Status string `json:"status"` CreatedAt time.Time `json:"created_at"` LastModifiedAt time.Time `json:"last_modified_at"` }
EncryptedDir represents an encrypted Dir. The names are encrypted and so are the names of SubDirs and Secrets. The secrets contain no encrypted data, only the encrypted name.
func (*EncryptedDir) Decrypt ¶
func (ed *EncryptedDir) Decrypt(accountKey *crypto.RSAPrivateKey) (*Dir, error)
Decrypt decrypts an EncryptedDir into a Dir.
type EncryptedKeyRequest ¶
type EncryptedKeyRequest struct { AccountID uuid.UUID `json:"account_id"` EncryptedKey crypto.CiphertextRSA `json:"encrypted_key"` }
EncryptedKeyRequest contains the request fields for re-encrypted for an account.
func (*EncryptedKeyRequest) Validate ¶
func (r *EncryptedKeyRequest) Validate() error
Validate validates the request fields.
type EncryptedNameForNodeRequest ¶
type EncryptedNameForNodeRequest struct { EncryptedNameRequest NodeID uuid.UUID `json:"node_id"` }
EncryptedNameForNodeRequest contains an EncryptedName for an Account and the corresponding NodeID.
func (EncryptedNameForNodeRequest) Validate ¶
func (nnr EncryptedNameForNodeRequest) Validate() error
Validate validates the EncryptedNameForNodeRequest.
type EncryptedNameRequest ¶
type EncryptedNameRequest struct { AccountID uuid.UUID `json:"account_id"` EncryptedName crypto.CiphertextRSA `json:"encrypted_name"` }
EncryptedNameRequest contains an EncryptedName for an Account.
func (*EncryptedNameRequest) Validate ¶
func (enr *EncryptedNameRequest) Validate() error
Validate validates the EncryptedNameRequest to be valid.
type EncryptedSecret ¶
type EncryptedSecret struct { SecretID uuid.UUID `json:"secret_id"` DirID uuid.UUID `json:"dir_id"` RepoID uuid.UUID `json:"repo_id"` EncryptedName crypto.CiphertextRSA `json:"encrypted_name"` BlindName string `json:"blind_name"` VersionCount int `json:"version_count"` LatestVersion int `json:"latest_version"` Status string `json:"status"` CreatedAt time.Time `json:"created_at"` }
EncryptedSecret represents an encrypted Secret It does not contain the encrypted data. Only the encrypted name.
func (*EncryptedSecret) Decrypt ¶
func (es *EncryptedSecret) Decrypt(accountKey *crypto.RSAPrivateKey) (*Secret, error)
Decrypt decrypts an EncryptedSecret into a Secret.
func (*EncryptedSecret) ToAuditSubject ¶
func (es *EncryptedSecret) ToAuditSubject() *AuditSubject
ToAuditSubject converts an EncryptedSecret to an AuditSubject
type EncryptedSecretKey ¶
type EncryptedSecretKey struct { SecretKeyID uuid.UUID `json:"secret_key_id"` AccountID uuid.UUID `json:"account_id"` EncryptedKey crypto.CiphertextRSA `json:"encrypted_key"` }
EncryptedSecretKey represents a secret key, encrypted for a specific account.
func (*EncryptedSecretKey) Decrypt ¶
func (k *EncryptedSecretKey) Decrypt(accountKey *crypto.RSAPrivateKey) (*SecretKey, error)
Decrypt decrypts an EncryptedSecretKey into a SecretKey.
type EncryptedSecretVersion ¶
type EncryptedSecretVersion struct { SecretVersionID uuid.UUID `json:"secret_version_id"` Secret *EncryptedSecret `json:"secret"` Version int `json:"version"` SecretKey *EncryptedSecretKey `json:"secret_key,omitempty"` EncryptedData *crypto.CiphertextAES `json:"encrypted_data,omitempty"` CreatedAt time.Time `json:"created_at"` Status string `json:"status"` }
EncryptedSecretVersion represents a version of an encrypted Secret. It contains the encrypted data and the corresponding key.
func (*EncryptedSecretVersion) Decrypt ¶
func (esv *EncryptedSecretVersion) Decrypt(accountKey *crypto.RSAPrivateKey) (*SecretVersion, error)
Decrypt decrypts an EncryptedSecretVersion into a SecretVersion.
func (*EncryptedSecretVersion) ToAuditSubject ¶
func (esv *EncryptedSecretVersion) ToAuditSubject() *AuditSubject
ToAuditSubject converts a SecretVersion to an AuditSubject
type EncryptedTree ¶
type EncryptedTree struct { Directories map[uuid.UUID]*EncryptedDir Secrets []*EncryptedSecret }
EncryptedTree can construct a full tree at a certain path. It contains all dirs and secrets.
func (EncryptedTree) Decrypt ¶
func (t EncryptedTree) Decrypt(accountKey *crypto.RSAPrivateKey) (*Tree, error)
Decrypt decrypts and constructs a tree of the directories and secrets. Decrypt does not set the ParentPath.
func (EncryptedTree) DecryptContents ¶
func (t EncryptedTree) DecryptContents(accountKey *crypto.RSAPrivateKey) ([]*Dir, []*Secret, error)
DecryptContents decrypts every directory and Secret.
type EncryptionAlgorithm ¶ added in v0.21.0
type EncryptionAlgorithm string
EncryptionAlgorithm specifies the encryption algorithm used for EncryptedData.
func (*EncryptionAlgorithm) UnmarshalJSON ¶ added in v0.21.0
func (ed *EncryptionAlgorithm) UnmarshalJSON(b []byte) error
UnmarshalJSON populates an EncryptionAlgorithm by converting an input string to lowercase.
type EncryptionKey ¶ added in v0.21.0
type EncryptionKey struct {
Type KeyType `json:"type"`
}
EncryptionKey specifies the common fields for all types of encryption keys.
type EncryptionKeyAWS ¶ added in v0.21.0
type EncryptionKeyAWS struct { EncryptionKey ID string `json:"id"` }
EncryptionKeyAWS is a key that is stored in the AWS KMS service and which can be used for encryption by calling the AWS KMS API.
func NewEncryptionKeyAWS ¶ added in v0.21.0
func NewEncryptionKeyAWS(id string) *EncryptionKeyAWS
NewEncryptionKeyAWS creates a EncryptionKeyAWS.
func (EncryptionKeyAWS) SupportsAlgorithm ¶ added in v0.21.0
func (EncryptionKeyAWS) SupportsAlgorithm(a EncryptionAlgorithm) bool
SupportsAlgorithm returns true when the encryption key supports the given algorithm.
func (EncryptionKeyAWS) Validate ¶ added in v0.21.0
func (k EncryptionKeyAWS) Validate() error
Validate whether the EncryptionKeyAWS is valid.
type EncryptionKeyAccountKey ¶ added in v0.21.0
type EncryptionKeyAccountKey struct { EncryptionKey Length int `json:"length"` ID uuid.UUID `json:"id"` }
EncryptionKeyAccountKey is an account's master key that is used to encrypt data and/or keys specifically for an account.
func NewEncryptionKeyAccountKey ¶ added in v0.21.0
func NewEncryptionKeyAccountKey(length int, id uuid.UUID) *EncryptionKeyAccountKey
NewEncryptionKeyAccountKey creates a EncryptionKeyAccountKey.
func (EncryptionKeyAccountKey) SupportsAlgorithm ¶ added in v0.21.0
func (EncryptionKeyAccountKey) SupportsAlgorithm(a EncryptionAlgorithm) bool
SupportsAlgorithm returns true when the encryption key supports the given algorithm.
func (EncryptionKeyAccountKey) Validate ¶ added in v0.21.0
func (k EncryptionKeyAccountKey) Validate() error
Validate whether the EncryptionKeyAccountKey is valid.
type EncryptionKeyBootstrapCode ¶ added in v0.25.0
type EncryptionKeyBootstrapCode struct { EncryptionKey Length int `json:"length"` }
EncryptionKeyBootstrapCode is an encryption key that is stored as a code memorized by the user.
func NewEncryptionKeyBootstrapCode ¶ added in v0.25.0
func NewEncryptionKeyBootstrapCode(length int) *EncryptionKeyBootstrapCode
NewEncryptionKeyLocal creates a EncryptionKeyBootstrapCode.
func (EncryptionKeyBootstrapCode) SupportsAlgorithm ¶ added in v0.25.0
func (EncryptionKeyBootstrapCode) SupportsAlgorithm(a EncryptionAlgorithm) bool
SupportsAlgorithm returns true when the encryption key supports the given algorithm.
func (EncryptionKeyBootstrapCode) Validate ¶ added in v0.25.0
func (k EncryptionKeyBootstrapCode) Validate() error
Validate whether the EncryptionKeyBootstrapCode is valid.
type EncryptionKeyDerived ¶ added in v0.21.0
type EncryptionKeyDerived struct { EncryptionKey Length int `json:"length"` Algorithm KeyDerivationAlgorithm `json:"algorithm"` Parameters interface{} `json:"parameters,omitempty"` Metadata interface{} `json:"metadata,omitempty"` }
EncryptionKeyDerived is an encryption key that can be derived from a passphrase.
func NewEncryptionKeyDerivedScrypt ¶ added in v0.21.0
func NewEncryptionKeyDerivedScrypt(length, p, n, r int, salt []byte) *EncryptionKeyDerived
NewEncryptionKeyDerivedScrypt creates a EncryptionKeyDerived with scrypt as key derivation algorithm.
func (EncryptionKeyDerived) SupportsAlgorithm ¶ added in v0.21.0
func (EncryptionKeyDerived) SupportsAlgorithm(a EncryptionAlgorithm) bool
SupportsAlgorithm returns true when the encryption key supports the given algorithm.
func (*EncryptionKeyDerived) UnmarshalJSON ¶ added in v0.21.0
func (k *EncryptionKeyDerived) UnmarshalJSON(b []byte) error
UnmarshalJSON populates an EncryptionKeyDerived from a JSON representation.
func (EncryptionKeyDerived) Validate ¶ added in v0.21.0
func (k EncryptionKeyDerived) Validate() error
Validate whether the EncryptionKeyDerived is valid.
type EncryptionKeyEncrypted ¶ added in v0.21.0
type EncryptionKeyEncrypted struct { EncryptionKey Length *int `json:"length"` EncryptedKey *EncryptedData `json:"encrypted_key"` }
EncryptionKeyEncrypted is an encryption key that has been encrypted by another key.
func NewEncryptionKeyEncrypted ¶ added in v0.21.0
func NewEncryptionKeyEncrypted(length int, encryptedKey *EncryptedData) *EncryptionKeyEncrypted
NewEncryptionKeyEncrypted creates a EncryptionKeyEncrypted.
func (EncryptionKeyEncrypted) SupportsAlgorithm ¶ added in v0.21.0
func (EncryptionKeyEncrypted) SupportsAlgorithm(a EncryptionAlgorithm) bool
SupportsAlgorithm returns true when the encryption key supports the given algorithm.
func (EncryptionKeyEncrypted) Validate ¶ added in v0.21.0
func (k EncryptionKeyEncrypted) Validate() error
Validate checks whether all the fields of the response are valid.
type EncryptionKeyGCP ¶ added in v0.29.0
type EncryptionKeyGCP struct { EncryptionKey ID string `json:"id"` }
EncryptionKeyGCP is a key that is stored in the GCP KMS service and which can be used for encryption by calling the GCP KMS API.
func NewEncryptionKeyGCP ¶ added in v0.29.0
func NewEncryptionKeyGCP(id string) *EncryptionKeyGCP
NewEncryptionKeyGCP creates a EncryptionKeyGCP.
func (EncryptionKeyGCP) SupportsAlgorithm ¶ added in v0.29.0
func (EncryptionKeyGCP) SupportsAlgorithm(a EncryptionAlgorithm) bool
SupportsAlgorithm returns true when the encryption key supports the given algorithm.
func (EncryptionKeyGCP) Validate ¶ added in v0.29.0
func (k EncryptionKeyGCP) Validate() error
Validate whether the EncryptionKeyAWS is valid.
type EncryptionKeyLocal ¶ added in v0.21.0
type EncryptionKeyLocal struct { EncryptionKey Length int `json:"length"` }
EncryptionKeyLocal is an encryption key that has is stored locally by the user.
func NewEncryptionKeyLocal ¶ added in v0.21.0
func NewEncryptionKeyLocal(length int) *EncryptionKeyLocal
NewEncryptionKeyLocal creates a EncryptionKeyLocal.
func (EncryptionKeyLocal) SupportsAlgorithm ¶ added in v0.21.0
func (EncryptionKeyLocal) SupportsAlgorithm(a EncryptionAlgorithm) bool
SupportsAlgorithm returns true when the encryption key supports the given algorithm.
func (EncryptionKeyLocal) Validate ¶ added in v0.21.0
func (k EncryptionKeyLocal) Validate() error
Validate whether the EncryptionKeyLocal is valid.
type EncryptionKeySecretKey ¶ added in v0.21.0
type EncryptionKeySecretKey struct { EncryptionKey Length int `json:"length"` ID uuid.UUID `json:"id"` }
EncryptionKeySecretKey is a key that is used to encrypt secrets
func NewEncryptionKeySecretKey ¶ added in v0.21.0
func NewEncryptionKeySecretKey(length int, id uuid.UUID) *EncryptionKeySecretKey
NewEncryptionKeySecretKey creates a EncryptionKeySecretKey.
func (EncryptionKeySecretKey) SupportsAlgorithm ¶ added in v0.21.0
func (EncryptionKeySecretKey) SupportsAlgorithm(a EncryptionAlgorithm) bool
SupportsAlgorithm returns true when the encryption key supports the given algorithm.
func (EncryptionKeySecretKey) Validate ¶ added in v0.21.0
func (k EncryptionKeySecretKey) Validate() error
Validate whether the EncryptionKeySecretKey is valid.
type EncryptionMetadataAESGCM ¶ added in v0.21.0
type EncryptionMetadataAESGCM struct {
Nonce []byte `json:"nonce"`
}
EncryptionMetadataAESGCM is the metadata used by the AES-GCM encryption algorithm.
func (EncryptionMetadataAESGCM) Validate ¶ added in v0.21.0
func (m EncryptionMetadataAESGCM) Validate() error
Validate checks whether the EncryptionMetadataAESGCM is valid.
type EncryptionParametersAESGCM ¶ added in v0.21.0
type EncryptionParametersAESGCM struct {
NonceLength int `json:"nonce_length"`
}
EncryptionParametersAESGCM are the parameters used by the AES-GCM encryption algorithm.
func (EncryptionParametersAESGCM) Validate ¶ added in v0.21.0
func (p EncryptionParametersAESGCM) Validate() error
Validate checks whether the EncryptionParametersAESGCM is valid.
type EncryptionParametersRSAOAEP ¶ added in v0.21.0
type EncryptionParametersRSAOAEP struct {
HashingAlgorithm HashingAlgorithm `json:"hashing_algorithm"`
}
EncryptionParametersRSAOAEP are the parameters used by the RSA-OAEP encryption algorithm.
func (EncryptionParametersRSAOAEP) Validate ¶ added in v0.21.0
func (p EncryptionParametersRSAOAEP) Validate() error
Validate checks whether the EncryptionParametersRSAOAEP is valid.
type HashingAlgorithm ¶ added in v0.21.0
type HashingAlgorithm string
HashingAlgorithm specifies the hashing algorithm used for any encryption algorithm using hasing.
func (*HashingAlgorithm) UnmarshalJSON ¶ added in v0.21.0
func (ed *HashingAlgorithm) UnmarshalJSON(b []byte) error
UnmarshalJSON populates an HashingAlgorithm by converting an input string to lowercase.
type InviteUserRequest ¶
type InviteUserRequest struct { AccountID uuid.UUID `json:"account_id"` RepoMember *CreateRepoMemberRequest `json:"repo_member"` }
InviteUserRequest contains the required fields for inviting a user to a repo.
func (InviteUserRequest) Validate ¶
func (req InviteUserRequest) Validate() error
Validate validates a InviteUserRequest
type KeyDerivationAlgorithm ¶ added in v0.21.0
type KeyDerivationAlgorithm string
KeyDerivationAlgorithm specifies the key derivation algorithm used for a derived key.
const (
KeyDerivationAlgorithmScrypt KeyDerivationAlgorithm = "scrypt"
)
Options for KeyDerivationAlgorithm
func (*KeyDerivationAlgorithm) UnmarshalJSON ¶ added in v0.21.0
func (ed *KeyDerivationAlgorithm) UnmarshalJSON(b []byte) error
UnmarshalJSON populates an KeyDerivationAlgorithm by converting an input string to lowercase.
type KeyDerivationMetadataScrypt ¶ added in v0.21.0
type KeyDerivationMetadataScrypt struct {
Salt []byte `json:"salt"`
}
KeyDerivationMetadataScrypt is the metadata used by the scrypt key derivation algorithm.
func (KeyDerivationMetadataScrypt) Validate ¶ added in v0.21.0
func (m KeyDerivationMetadataScrypt) Validate() error
Validate whether the KeyDerivationMetadataScrypt is valid.
type KeyDerivationParametersScrypt ¶ added in v0.21.0
KeyDerivationParametersScrypt are the parameters used by the scrypt key derivation algorithm.
func (KeyDerivationParametersScrypt) Validate ¶ added in v0.21.0
func (p KeyDerivationParametersScrypt) Validate() error
Validate whether the KeyDerivationParametersScrypt is valid.
type KeyType ¶ added in v0.21.0
type KeyType string
KeyType specifies the type of key used for EncryptedData.
const ( KeyTypeDerived KeyType = "derived" KeyTypeEncrypted KeyType = "encrypted" KeyTypeLocal KeyType = "local" KeyTypeAccountKey KeyType = "account-key" KeyTypeSecretKey KeyType = "secret-key" KeyTypeAWS KeyType = "aws" KeyTypeGCP KeyType = "gcp" KeyTypeBootstrapCode KeyType = "bootstrap-code" )
Options for KeyType
func (*KeyType) UnmarshalJSON ¶ added in v0.21.0
UnmarshalJSON populates an KeyType by converting an input string to lowercase.
type Namespace ¶
type Namespace ParentPath
Namespace represents a namespace
type NamespaceDetails ¶
type NamespaceDetails struct { Name string `json:"name"` MemberCount int `json:"member_count"` RepoCount int `json:"repo_count"` SecretCount int `json:"secret_count"` }
NamespaceDetails defines a user or organization namespace. TODO: rename this to Namespace currently claimed in paths.go
type Org ¶
type Org struct { OrgID uuid.UUID `json:"org_id"` Name string `json:"name"` Description string `json:"description"` CreatedAt time.Time `json:"created_at"` Members []*OrgMember `json:"members,omitempty"` }
Org represents an organization account on SecretHub
type OrgMember ¶
type OrgMember struct { OrgID uuid.UUID `json:"org_id"` AccountID uuid.UUID `json:"account_id"` Role string `json:"role"` CreatedAt time.Time `json:"created_at"` LastChangedAt time.Time `json:"last_changed_at"` User *User `json:"user,omitempty"` }
OrgMember represents a user's membership of an organization.
type OrgName ¶
type OrgName Namespace
OrgName is the name of an organization.
type ParentPath ¶
type ParentPath Path
ParentPath is a path to a namespace, repo or directory. This is used for generic blind name generation.
func (ParentPath) BlindName ¶
func (pp ParentPath) BlindName(key *crypto.SymmetricKey) (string, error)
BlindName generates the BlindName of the ParentPath.
func (ParentPath) GetRepoPath ¶
func (pp ParentPath) GetRepoPath() RepoPath
GetRepoPath returns the RepoPath of the ParentPath.
func (ParentPath) HasParentPath ¶
func (pp ParentPath) HasParentPath() bool
HasParentPath checks if the ParentPath has a path or if it is the repo path.
func (ParentPath) JoinDir ¶
func (pp ParentPath) JoinDir(dirName string) DirPath
JoinDir constructs a new DirPath combined by the ParentPath and dirName.
func (ParentPath) String ¶
func (pp ParentPath) String() string
type Path ¶
type Path string
Path represents a path to either a namespace, a repo, a directory, or a secret
func (Path) HasVersion ¶
HasVersion returns if the path has a version. Only SecretPath has versions, so if has a version it is a SecretPath.
func (Path) ToNamespace ¶
ToNamespace tries to convert the Path to a valid Namespace
func (Path) ToRepoPath ¶
ToRepoPath tries to convert the Path to a valid RepoPath
func (Path) ToSecretPath ¶
func (p Path) ToSecretPath() (SecretPath, error)
ToSecretPath tries to convert the Path to a valid SecretPath
type Permission ¶
type Permission int
Permission defines what kind of access an access rule grants or a access level has.
const ( PermissionNone Permission = iota PermissionRead PermissionWrite PermissionAdmin )
The different Permission options.
func (*Permission) Set ¶
func (al *Permission) Set(value string) error
Set sets the Permission to the value.
func (Permission) String ¶
func (al Permission) String() string
type Repo ¶
type Repo struct { RepoID uuid.UUID `json:"repo_id"` Owner string `json:"owner"` Name string `json:"name"` CreatedAt time.Time `json:"created_at"` LastModifiedAt time.Time `json:"last_modified_at"` Status string `json:"status"` SecretCount int `json:"secret_count,omitempty"` MemberCount int `json:"member_count,omitempty"` }
Repo represents a repo on SecretHub.
func (Repo) ToAuditSubject ¶
func (r Repo) ToAuditSubject() *AuditSubject
ToAuditSubject converts a Repo to an AuditSubject
type RepoKeys ¶
type RepoKeys struct { RepoEncryptionKey []byte `json:"repo_encryption_key"` RepoIndexKey []byte `json:"repo_index_key"` }
RepoKeys contains the response with the repo key.
type RepoMember ¶
type RepoMember struct { RepoID uuid.UUID `json:"repo_id"` AccountID uuid.UUID `json:"account_id"` CreatedAt time.Time `json:"created_at"` }
RepoMember represents a member of a SecretHub repo.
type RepoPath ¶
type RepoPath ParentPath
RepoPath is a parse for repo paths of form :owner/:repo_name
func NewRepoPath ¶
NewRepoPath formats a RepoPath from an owner and repo.
func (RepoPath) BlindName ¶
func (rp RepoPath) BlindName(key *crypto.SymmetricKey) (string, error)
BlindName returns the blind name of the DirPath.
func (RepoPath) GetDirPath ¶
GetDirPath converts this repoPath into a DirPath. This should be valid.
func (RepoPath) GetNamespace ¶
GetNamespace returns the namespace of the Repo.
func (RepoPath) GetNamespaceAndRepoName ¶
GetNamespaceAndRepoName returns the namespace and repo name of the Repo.
func (RepoPath) GetRepoPath ¶
GetRepoPath gets the RepoPath from the RepoPath. This function only works on validated RepoPaths. This is necessary to implement BlindNamePath interface.
type RevokeOpts ¶
type RevokeOpts struct {
DryRun bool `url:"dry_run"` // Dry performs a dry run without actually revoking the account.
}
RevokeOpts contains optional query parameters for revoke requests.
func (*RevokeOpts) Unmarshal ¶
func (o *RevokeOpts) Unmarshal(values url.Values)
Unmarshal decodes url.Values into the options struct, setting default values if not present in the query values. TODO SHDEV-817: refactor this to a more extendable mechanism.
type RevokeOrgResponse ¶
type RevokeOrgResponse struct { DryRun bool `json:"dry"` // Dry indicates whether it was a dry run or not. Repos []*RevokeRepoResponse `json:"repos"` StatusCounts map[string]int `json:"status_counts"` // StatusCounts contains aggregate counts of the repos the account is revoked from. }
RevokeOrgResponse is returned as the effect of revoking an account from a repository.
type RevokeRepoResponse ¶
type RevokeRepoResponse struct { Namespace string `json:"namespace"` // Added for display purposes Name string `json:"name"` // Added for display purposes Status string `json:"status"` RevokedSecretVersionCount int `json:"revoked_secret_version_count"` RevokedSecretKeyCount int `json:"revoked_secret_key_count"` }
RevokeRepoResponse is returned as the effect of revoking an account from a repo.
type RevokeResponse ¶
type RevokeResponse struct { RevokedSecretVersions []*EncryptedSecretVersion `json:"revoked_secret_versions"` RevokedSecretKeys []*SecretKey `json:"revoked_secret_keys"` }
RevokeResponse is returned when a revoke command is executed.
type Secret ¶
type Secret struct { SecretID uuid.UUID `json:"secret_id"` DirID uuid.UUID `json:"dir_id"` RepoID uuid.UUID `json:"repo_id"` Name string `json:"name"` BlindName string `json:"blind_name"` VersionCount int `json:"version_count"` LatestVersion int `json:"latest_version"` Status string `json:"status"` CreatedAt time.Time `json:"created_at"` }
Secret represents a decrypted secret in SecretHub.
type SecretAccessRequest ¶
type SecretAccessRequest struct { Name EncryptedNameForNodeRequest `json:"name_member"` Keys []SecretKeyMemberRequest `json:"keys"` }
SecretAccessRequest contains the request fields to grant an account access to a secret.
func (*SecretAccessRequest) Validate ¶
func (r *SecretAccessRequest) Validate() error
Validate validates the request fields.
type SecretKey ¶
type SecretKey struct { SecretKeyID uuid.UUID `json:"secret_key_id"` AccountID uuid.UUID `json:"account_id"` Key *crypto.SymmetricKey `json:"key"` }
SecretKey represents a secret key that is intended to be used by a specific account.
func (*SecretKey) ToAuditSubject ¶
func (sk *SecretKey) ToAuditSubject() *AuditSubject
ToAuditSubject converts a SecretKey to an AuditSubject
type SecretKeyMemberRequest ¶
type SecretKeyMemberRequest struct { AccountID uuid.UUID `json:"account_id"` SecretKeyID uuid.UUID `json:"secret_key_id"` EncryptedKey crypto.CiphertextRSA `json:"encrypted_key"` }
SecretKeyMemberRequest contains the request fields to grant access to a secret key.
func (*SecretKeyMemberRequest) Validate ¶
func (skmr *SecretKeyMemberRequest) Validate() error
Validate validates the request fields.
type SecretPath ¶
type SecretPath string
SecretPath is a custom type for secret paths of form :owner/:repo_name/:secret
func NewSecretPath ¶
func NewSecretPath(path string) (SecretPath, error)
NewSecretPath formats a SecretPath from an owner, repo, and a secret.
func (SecretPath) AddVersion ¶
func (sp SecretPath) AddVersion(version int) (SecretPath, error)
AddVersion adds a version to a SecretPath and returns this path.
func (SecretPath) BlindName ¶
func (sp SecretPath) BlindName(key *crypto.SymmetricKey) (string, error)
BlindName converts a SecretPath to a blindname. BlindName ignores the Secret Version.
func (SecretPath) GetNamespace ¶
func (sp SecretPath) GetNamespace() string
GetNamespace returns the namespace in the SecretPath.
func (SecretPath) GetParentPath ¶
func (sp SecretPath) GetParentPath() (ParentPath, error)
GetParentPath gets the DirPath from the SecretPath.
func (SecretPath) GetRepo ¶
func (sp SecretPath) GetRepo() string
GetRepo returns the repo name in the SecretPath.
func (SecretPath) GetRepoPath ¶
func (sp SecretPath) GetRepoPath() RepoPath
GetRepoPath gets the RepoPath from the SecretPath. This function only works on validated SecretPaths.
func (SecretPath) GetSecret ¶
func (sp SecretPath) GetSecret() string
GetSecret gets the secret name from the path.
func (SecretPath) GetVersion ¶
func (sp SecretPath) GetVersion() (string, error)
GetVersion gets the version from the path.
func (SecretPath) HasVersion ¶
func (sp SecretPath) HasVersion() bool
HasVersion returns whether there is a version specified in the path.
func (*SecretPath) Set ¶
func (sp *SecretPath) Set(value string) error
Set implements the flag.Value interface and validates the value.
func (SecretPath) String ¶
func (sp SecretPath) String() string
String returns the secret path as a string to be used for printing.
func (SecretPath) Validate ¶
func (sp SecretPath) Validate() error
Validate validates a Secret path.
func (SecretPath) Value ¶
func (sp SecretPath) Value() string
Value returns the secret path as a string to be used in communication with the client and in transportation to the server.
type SecretVersion ¶
type SecretVersion struct { SecretVersionID uuid.UUID `json:"secret_version_id"` Secret *Secret `json:"secret"` Version int `json:"version"` SecretKey *SecretKey `json:"secret_key,omitempty"` Data []byte `json:"data,omitempty"` CreatedAt time.Time `json:"created_at"` Status string `json:"status"` }
SecretVersion represents a version of a Secret without any encrypted data.
func (*SecretVersion) IsLatest ¶
func (sv *SecretVersion) IsLatest() bool
IsLatest returns true when the secret version is the latest version of the secret.
func (*SecretVersion) Name ¶
func (sv *SecretVersion) Name() string
Name returns the secret name:version
type Service ¶
type Service struct { AccountID uuid.UUID `json:"account_id"` ServiceID string `json:"service_id"` Repo *Repo `json:"repo"` Description string `json:"description"` CreatedBy uuid.UUID `json:"created_by"` CreatedAt time.Time `json:"created_at"` Credential *Credential `json:"credential"` }
Service represents a service account on SecretHub.
func (Service) ToAuditActor ¶
func (a Service) ToAuditActor() *AuditActor
ToAuditActor converts an Service to an AuditActor
func (Service) ToAuditSubject ¶
func (a Service) ToAuditSubject() *AuditSubject
ToAuditSubject converts an Service to an AuditSubject
type Session ¶ added in v0.21.0
type Session struct { SessionID uuid.UUID `json:"session_id"` ExpiresAt time.Time `json:"expires_at"` Type SessionType `json:"type"` Payload interface{} `json:"payload"` }
Session represents a session that can be used for authentication to the server.
func NewSessionHMAC ¶ added in v0.21.0
NewSessionHMAC returns a HMAC type api.Session.
func (*Session) HMAC ¶ added in v0.21.0
func (s *Session) HMAC() *SessionHMAC
HMAC returns the HMAC specific representation of this session.
func (*Session) UnmarshalJSON ¶ added in v0.21.0
UnmarshalJSON converts a JSON representation into a Session with the correct Payload.
type SessionHMAC ¶ added in v0.21.0
type SessionHMAC struct { SessionID uuid.UUID Expires time.Time Payload SessionPayloadHMAC }
SessionHMAC is a session that uses the HMAC algorithm to verify the authentication.
type SessionPayloadHMAC ¶ added in v0.21.0
type SessionPayloadHMAC struct {
SessionKey string `json:"session_key"`
}
SessionPayloadHMAC is the payload of a HMAC typed session.
func (*SessionPayloadHMAC) Validate ¶ added in v0.21.0
func (pl *SessionPayloadHMAC) Validate() error
Validate whether the SessionPayloadHMAC is valid.
type SessionType ¶ added in v0.21.0
type SessionType string
SessionType defines how a session can be used.
const (
SessionTypeHMAC SessionType = "hmac"
)
SessionType options
type SortAccessLevels ¶
type SortAccessLevels []*AccessLevel
SortAccessLevels sorts a list of AccessLevels first by the permission and then by the account name.
func (SortAccessLevels) Len ¶
func (s SortAccessLevels) Len() int
func (SortAccessLevels) Less ¶
func (s SortAccessLevels) Less(i, j int) bool
func (SortAccessLevels) Swap ¶
func (s SortAccessLevels) Swap(i, j int)
type SortAccessRules ¶
type SortAccessRules []*AccessRule
SortAccessRules makes a list of AccessRules sortable. Sort order: Permission (high to low), AccountName (natural)
func (SortAccessRules) Len ¶
func (s SortAccessRules) Len() int
func (SortAccessRules) Less ¶
func (s SortAccessRules) Less(i, j int) bool
func (SortAccessRules) Swap ¶
func (s SortAccessRules) Swap(i, j int)
type SortDirByName ¶
type SortDirByName []*Dir
SortDirByName makes a list of Dir sortable.
func (SortDirByName) Len ¶
func (d SortDirByName) Len() int
func (SortDirByName) Less ¶
func (d SortDirByName) Less(i, j int) bool
func (SortDirByName) Swap ¶
func (d SortDirByName) Swap(i, j int)
type SortDirPaths ¶
type SortDirPaths []DirPath
SortDirPaths makes a slice of dir paths sortable.
func (SortDirPaths) Len ¶
func (s SortDirPaths) Len() int
func (SortDirPaths) Less ¶
func (s SortDirPaths) Less(i, j int) bool
func (SortDirPaths) Swap ¶
func (s SortDirPaths) Swap(i, j int)
type SortOrgByName ¶
type SortOrgByName []*Org
SortOrgByName makes a list of orgs sortable.
func (SortOrgByName) Len ¶
func (s SortOrgByName) Len() int
func (SortOrgByName) Less ¶
func (s SortOrgByName) Less(i, j int) bool
func (SortOrgByName) Swap ¶
func (s SortOrgByName) Swap(i, j int)
type SortOrgMemberByUsername ¶
type SortOrgMemberByUsername []*OrgMember
SortOrgMemberByUsername makes a list of org members sortable.
func (SortOrgMemberByUsername) Len ¶
func (s SortOrgMemberByUsername) Len() int
func (SortOrgMemberByUsername) Less ¶
func (s SortOrgMemberByUsername) Less(i, j int) bool
func (SortOrgMemberByUsername) Swap ¶
func (s SortOrgMemberByUsername) Swap(i, j int)
type SortRepoByName ¶
type SortRepoByName []*Repo
SortRepoByName makes a list of repos sortable.
func (SortRepoByName) Len ¶
func (r SortRepoByName) Len() int
func (SortRepoByName) Less ¶
func (r SortRepoByName) Less(i, j int) bool
func (SortRepoByName) Swap ¶
func (r SortRepoByName) Swap(i, j int)
type SortSecretByName ¶
type SortSecretByName []*Secret
SortSecretByName makes a list of Secret sortable.
func (SortSecretByName) Len ¶
func (s SortSecretByName) Len() int
func (SortSecretByName) Less ¶
func (s SortSecretByName) Less(i, j int) bool
func (SortSecretByName) Swap ¶
func (s SortSecretByName) Swap(i, j int)
type Tree ¶
type Tree struct { ParentPath ParentPath RootDir *Dir Dirs map[uuid.UUID]*Dir Secrets map[uuid.UUID]*Secret }
Tree contains a full tree from the RootDir and all dirs and secrets. ParentPath is used to construct absolute paths. ParentPath is the path to the parent of the root dir, eg: For namespace/repo/parent/rootdir => namespace/repo/parent
func (Tree) AbsDirPath ¶
AbsDirPath returns the full path of dir This function makes the assumption that only the root dir has no parentID. If not, an error will occur.
func (Tree) AbsSecretPath ¶
func (t Tree) AbsSecretPath(secretID uuid.UUID) (*SecretPath, error)
AbsSecretPath returns the full path of secret. This function makes the assumption that every secret has a ParentDir. If not, an error will occur.
func (Tree) DirCount ¶
DirCount returns the number of directories inside the tree. This does not include the root directory.
func (Tree) SecretCount ¶
SecretCount returns the number of secrets contained in the tree.
type UpdateAccessRuleRequest ¶
type UpdateAccessRuleRequest struct {
Permission Permission `json:"permission"`
}
UpdateAccessRuleRequest contains the request fields for updating an AccessRule.
func (*UpdateAccessRuleRequest) Validate ¶
func (uar *UpdateAccessRuleRequest) Validate() error
Validate validates the request fields.
type UpdateCredentialRequest ¶ added in v0.25.0
type UpdateCredentialRequest struct {
Enabled *bool `json:"enabled,omitempty"`
}
UpdateCredentialRequest contains the fields of a credential that can be updated.
func (*UpdateCredentialRequest) Validate ¶ added in v0.25.0
func (req *UpdateCredentialRequest) Validate() error
Validate whether the UpdateCredentialRequest is a valid request.
type UpdateOrgMemberRequest ¶
type UpdateOrgMemberRequest struct {
Role string `json:"role"`
}
UpdateOrgMemberRequest contains the required fields for updating a user's organization membership.
func (UpdateOrgMemberRequest) Validate ¶
func (req UpdateOrgMemberRequest) Validate() error
Validate validates the request fields.
type User ¶
type User struct { AccountID uuid.UUID `json:"account_id"` PublicKey []byte `json:"public_key"` Username string `json:"username"` FullName string `json:"full_name"` Email string `json:"user_email,omitempty"` // Optional, private information is only returned for yourself EmailVerified bool `json:"email_verified,omitempty"` // Optional, private information is only returned for yourself CreatedAt *time.Time `json:"created_at,omitempty"` // Optional, private information is only returned for yourself LastLoginAt *time.Time `json:"last_login_at,omitempty"` // Optional, private information is only returned for yourself }
User represents a SecretHub user.
func (User) PrettyName ¶
PrettyName returns a printable string with the username and full name.
func (User) ToAuditActor ¶
func (u User) ToAuditActor() *AuditActor
ToAuditActor converts a User to an AuditActor
func (User) ToAuditSubject ¶
func (u User) ToAuditSubject() *AuditSubject
ToAuditSubject converts a User to an AuditSubject
Source Files ¶
- account.go
- account_key.go
- acl.go
- audit.go
- auth.go
- auth_aws.go
- auth_gcp.go
- ciphertext.go
- credential.go
- dir.go
- docs.go
- encrypted_data.go
- encryption_key.go
- encryption_metadata.go
- encryption_parameters.go
- name.go
- namespace.go
- org.go
- paths.go
- patterns.go
- permission.go
- repo.go
- revoke.go
- secret.go
- secret_key.go
- secret_version.go
- server_errors.go
- service.go
- tree.go
- user.go
- values.go