vaulted

package
v3.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 14, 2022 License: MIT Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	BaseIterations          = 1 << 17
	AdditionIterationsRange = 1 << 18
)
View Source 
const (
	DefaultSessionName = "VaultedSession"
)
View Source 
const (
	NoTolerance time.Duration = 0
)

Variables

View Source 
var (
	ErrIncorrectPassword       = errors.New("Incorrect password")
	ErrInvalidKeyConfig        = errors.New("Invalid key configuration")
	ErrInvalidEncryptionConfig = errors.New("Invalid encryption configuration")
)
View Source 
var (
	ErrInvalidCommand = errors.New("Invalid command")
	ErrNoTokenEntered = errors.New("Could not get MFA code")
)
View Source 
var (
	// ErrVaultSessionNotFound occurs when attempting to locate a vault session
	// in a SessionCache that isn't present.
	ErrVaultSessionNotFound = errors.New("Vault session not found")
)
View Source 
var STSDurationDefault = time.Hour
View Source 
var (
	// SessionCacheVersion indicates the current version of the cache format.
	//
	// Any cache loaded that does not match this version is ignored. This
	// causes all caches written for previous versions to be invalidated.
	SessionCacheVersion = "3"
)

Functions

func STSEndpointResolver 

func STSEndpointResolver(nextResolver endpoints.Resolver) endpoints.Resolver

The default endpoint resolver uses the global STS endpoint for all standard AWS regions, regardless of what region the client is configured to use. This resolver always uses the locally configured region instead.

func VaultSessionCacheKey 

func VaultSessionCacheKey(vault *Vault) string

VaultSessionCacheKey computes a stable key based on the contents of a vault.

The computed key is intended to be used for things such as a session cache.

Types

type AWSCredentials 

type AWSCredentials struct {
	ID         string     `json:"id"`
	Secret     string     `json:"secret"`
	Token      string     `json:"token,omitempty"`
	Expiration *time.Time `json:"expiration,omitempty"`
	Region     *string    `json:"region,omitempty"`
}

func AWSCredentialsFromSTSCredentials 

func AWSCredentialsFromSTSCredentials(creds *sts.Credentials, region *string) *AWSCredentials

func (*AWSCredentials) AssumeRole 

func (c *AWSCredentials) AssumeRole(arn string, duration time.Duration) (*AWSCredentials, error)

func (*AWSCredentials) Expired 

func (c *AWSCredentials) Expired() bool

func (*AWSCredentials) GetCallerIdentity 

func (c *AWSCredentials) GetCallerIdentity() (arn.ARN, error)

func (*AWSCredentials) GetSessionToken 

func (c *AWSCredentials) GetSessionToken(duration time.Duration) (*AWSCredentials, error)

func (*AWSCredentials) GetSessionTokenWithMFA 

func (c *AWSCredentials) GetSessionTokenWithMFA(serialNumber, token string, duration time.Duration) (*AWSCredentials, error)

func (*AWSCredentials) Valid 

func (c *AWSCredentials) Valid() bool

func (*AWSCredentials) ValidSession 

func (c *AWSCredentials) ValidSession() bool

type AWSKey 

type AWSKey struct {
	AWSCredentials
	MFA                     string `json:"mfa,omitempty"`
	Role                    string `json:"role,omitempty"`
	ForgoTempCredGeneration bool   `json:"forgoTempCredGeneration"`
}

func (*AWSKey) GetAWSCredentials 

func (k *AWSKey) GetAWSCredentials(duration time.Duration) (*AWSCredentials, error)

func (*AWSKey) GetAWSCredentialsWithMFA 

func (k *AWSKey) GetAWSCredentialsWithMFA(mfaToken string, duration time.Duration) (*AWSCredentials, error)

func (*AWSKey) RequiresMFA 

func (k *AWSKey) RequiresMFA() bool

func (*AWSKey) Valid 

func (k *AWSKey) Valid() bool

type Details 

type Details map[string]interface{}

func (Details) Bytes 

func (d Details) Bytes(name string) []byte

func (Details) Clone 

func (d Details) Clone() Details

func (Details) Int 

func (d Details) Int(name string) int

func (Details) SetBytes 

func (d Details) SetBytes(name string, value []byte)

func (Details) SetInt 

func (d Details) SetInt(name string, value int)

func (Details) SetString 

func (d Details) SetString(name string, value string)

func (Details) String 

func (d Details) String(name string) string

type Operation 

type Operation int
const (
	OpenOperation Operation = iota
	SealOperation
)

type SSHOptions 

type SSHOptions struct {
	DisableProxy    bool     `json:"disable_proxy"`
	GenerateRSAKey  bool     `json:"generate_rsa_key"`
	ValidPrincipals []string `json:"valid_principals,omitempty"`
	VaultSigningUrl string   `json:"vault_signing_url,omitempty"`
}

type Session 

type Session struct {
	Name       string    `json:"name"`
	Expiration time.Time `json:"expiration"`

	ActiveRole string `json:"active_role,omitempty"`

	AWSCreds        *AWSCredentials   `json:"aws_creds,omitempty"`
	GeneratedSSHKey string            `json:"generated_ssh_key,omitempty"`
	Role            string            `json:"role,omitempty"`
	Vars            map[string]string `json:"vars,omitempty"`
	SSHKeys         map[string]string `json:"ssh_keys,omitempty"`
	SSHOptions      *SSHOptions       `json:"ssh_options,omitempty"`
}

func (*Session) AssumeRole 

func (s *Session) AssumeRole(roleArn string) (*Session, error)

func (*Session) AssumeSessionRole 

func (s *Session) AssumeSessionRole() (*Session, error)

func (*Session) Clone 

func (s *Session) Clone() *Session

func (*Session) Expired 

func (s *Session) Expired(tolerance time.Duration) bool

func (*Session) Spawn 

func (s *Session) Spawn(cmd []string) (*int, error)

func (*Session) Variables 

func (s *Session) Variables() *Variables

type SessionCache 

type SessionCache struct {
	SessionCacheVersion string              `json:"version"`
	Sessions            map[string]*Session `json:"sessions"`
}

SessionCache stores sessions keyed based on the contents of the vault that spawned the session.

See VaultSessionCacheKey for details on how the key is generated.

func (*SessionCache) GetVaultSession 

func (sc *SessionCache) GetVaultSession(vault *Vault) (*Session, error)

GetVaultSession retrieves a copy of a session in the cache.

The retrieved session is keyed using the contents of the provided vault.

func (*SessionCache) PutVaultSession 

func (sc *SessionCache) PutVaultSession(vault *Vault, session *Session)

PutVaultSession stores a copy of a session in the cache.

The stored session is keyed using the contents of the provided vault.

func (*SessionCache) RemoveExpiredSessions 

func (sc *SessionCache) RemoveExpiredSessions()

RemoveExpiredSessions removes sessions from the cache that have expired.

type SessionFile 

type SessionFile struct {
	Method     string  `json:"method"`
	Details    Details `json:"details,omitempty"`
	Ciphertext []byte  `json:"ciphertext"`
}

type StaticSteward 

type StaticSteward struct {
	Password string
	MFAToken *string
}

func NewStaticSteward 

func NewStaticSteward(password string) *StaticSteward

func NewStaticStewardWithMFA 

func NewStaticStewardWithMFA(password, mfaToken string) *StaticSteward

func (*StaticSteward) GetMFAToken 

func (s *StaticSteward) GetMFAToken(name string) (string, error)

func (*StaticSteward) GetPassword 

func (s *StaticSteward) GetPassword(operation Operation, name string) (string, error)

type Steward 

type Steward interface {
	GetMFAToken(name string) (string, error)
	GetPassword(operation Operation, name string) (string, error)
}

type StewardMaxTries 

type StewardMaxTries interface {
	GetMaxOpenTries() int
}

type Store 

type Store interface {
	Steward() Steward

	ListVaults() ([]string, error)

	VaultExists(name string) bool
	OpenVault(name string) (*Vault, string, error)
	OpenVaultWithPassword(name, password string) (*Vault, string, error)
	SealVault(vault *Vault, name string) error
	SealVaultWithPassword(vault *Vault, name, password string) error
	RemoveVault(name string) error

	CreateSession(vault *Vault, name, password string) (*Session, error)
	GetSession(vault *Vault, name, password string) (*Session, error)
}

func New 

func New(steward Steward) Store

type Variables 

type Variables struct {
	Set   map[string]string
	Unset []string
}

type Vault 

type Vault struct {
	Duration   time.Duration     `json:"duration,omitempty"`
	AWSKey     *AWSKey           `json:"aws_key,omitempty"`
	Vars       map[string]string `json:"vars,omitempty"`
	SSHKeys    map[string]string `json:"ssh_keys,omitempty"`
	SSHOptions *SSHOptions       `json:"ssh_options,omitempty"`
}

func (*Vault) NewSession 

func (v *Vault) NewSession(name string) (*Session, error)

func (*Vault) NewSessionWithMFA 

func (v *Vault) NewSessionWithMFA(name, mfaToken string) (*Session, error)

type VaultFile 

type VaultFile struct {
	Key *VaultKey `json:"key"`

	Method     string  `json:"method"`
	Details    Details `json:"details,omitempty"`
	Ciphertext []byte  `json:"ciphertext"`
}

type VaultKey 

type VaultKey struct {
	Method  string  `json:"method"`
	Details Details `json:"details"`
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.