Documentation
¶
Index ¶
- Variables
- func DoLdapAuthentication(username, password string) bool
- func EndBooking(envPlainName string)
- func InitVaultParams(l logging.Logger, config util.GafaspotConfig)
- func ReadCredentials(envPlainName string) map[string]map[string]interface{}
- func StartBooking(envPlainName, sshKey string, until time.Time)
- type SecEng
Constants ¶
This section is empty.
Variables ¶
var ErrAuth = errors.New("ldap authentication failed")
ErrAuth is thrown if an authentication against LDAP over Vault fails for any reason.
Functions ¶
func DoLdapAuthentication ¶
DoLdapAuthentication performs an LDAP authentication against a Vault LDAP Auth Method. It checks, whether username and password are accepted by the configured ldap server at all. If so, it checks whether Vault assigns the ldap-group-policy given in gafaspot_config.yaml to the login data. This is the case if the user is member of the correct LDAP group (and the vault auth method is configured correctly).
func EndBooking ¶
func EndBooking(envPlainName string)
EndBooking ends a booking for a whole environment.
func InitVaultParams ¶
func InitVaultParams(l logging.Logger, config util.GafaspotConfig)
InitVaultParams initializes the vault package from gafaspot. Besides setting the logger, it reads several values from config and readies gafaspot to communicate with the vault Auth Methods. Further, it creates several SecEng objects to communicate with vault secrets engines.
func ReadCredentials ¶
ReadCredentials reads the credentials from all KV Secrets Engine related to the environment envPlainName and returns them as map. Map keys are the Secrets Engine's names. If it is not possible to retrieve any credentials because the environment does not exist, an error message gets logged and the result is nil. If retrieving of credentials fails for a specific Secrets Engine, a small error message gets written into the map instead of the credentials, so that it will be automatically displayed in the creds view.
func StartBooking ¶
StartBooking starts a booking for a whole environment. As the environment may include ssh secret engines, this function needs an ssh key. If there is no ssh secret engine inside the environment, the ssKey parameter will be ignored everywhere. The time 'until' is needed to calculate the ttl for an orphan vault token, which will be parent of all the vault secrets in this reservation.
Types ¶
type SecEng ¶
type SecEng interface {
// contains filtered or unexported methods
}
SecEng is a handler for one credential secrets engine such as "ad" or "ssh" inside Vault. As the secrets retrieved from a secrets engine needs to be saved somewhere, each credential secrets engine has an equivalently named kv secrets engine as storage which is also obtained by this interface. A SecEng stores the URLs to which the secrets engines listen to and provides the functionality which is needed to start and end bookings, as changing credentials and storing or deleting them.
Source Files