physical

package
v1.1.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 30, 2019 License: MPL-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DeleteOperation Operation = "delete"
	GetOperation              = "get"
	ListOperation             = "list"
	PutOperation              = "put"
)
View Source 
const (
	// DefaultCacheSize is used if no cache size is specified for NewCache
	DefaultCacheSize = 128 * 1024
)
View Source 
const (
	// DefaultErrorPercent is used to determin how often we error
	DefaultErrorPercent = 20
)
View Source 
const (
	// DefaultJitterPercent is used if no cache size is specified for NewCache
	DefaultJitterPercent = 20
)
View Source 
const DefaultParallelOperations = 128

Variables

View Source 
var ErrNonPrintable = errors.New("key contains non-printable characters")
View Source 
var ErrNonUTF8 = errors.New("key contains invalid UTF-8 characters")
View Source 
var (
	ErrRelativePath = errors.New("relative paths not supported")
)

Functions

func ExerciseBackend added in v0.8.0 

func ExerciseBackend(t testing.TB, b Backend)

func ExerciseBackend_ListPrefix added in v0.8.0 

func ExerciseBackend_ListPrefix(t testing.TB, b Backend)

func ExerciseHABackend added in v0.8.0 

func ExerciseHABackend(t testing.TB, b HABackend, b2 HABackend)

func ExerciseTransactionalBackend added in v0.8.0 

func ExerciseTransactionalBackend(t testing.TB, b Backend)

func GenericTransactionHandler added in v0.8.0 

func GenericTransactionHandler(ctx context.Context, t PseudoTransactional, txns []*TxnEntry) (retErr error)

Implements the transaction interface

func Prefixes added in v0.8.0 

func Prefixes(s string) []string

Prefixes is a shared helper function returns all parent 'folders' for a given vault key. e.g. for 'foo/bar/baz', it returns ['foo', 'foo/bar']

Types

type ActiveFunction added in v0.8.0 

type ActiveFunction func() bool

Callback signatures for RunServiceDiscovery

type Backend 

type Backend interface {
	// Put is used to insert or update an entry
	Put(ctx context.Context, entry *Entry) error

	// Get is used to fetch an entry
	Get(ctx context.Context, key string) (*Entry, error)

	// Delete is used to permanently delete an entry
	Delete(ctx context.Context, key string) error

	// List is used to list all the keys under a given
	// prefix, up to the next prefix.
	List(ctx context.Context, prefix string) ([]string, error)
}

Backend is the interface required for a physical backend. A physical backend is used to durably store data outside of Vault. As such, it is completely untrusted, and is only accessed via a security barrier. The backends must represent keys in a hierarchical manner. All methods are expected to be thread safe.

func NewStorageEncoding added in v1.0.0 

func NewStorageEncoding(b Backend) Backend

NewStorageEncoding returns a wrapped physical backend and verifies the key encoding

type Cache 

type Cache struct {
	// contains filtered or unexported fields
}

Cache is used to wrap an underlying physical backend and provide an LRU cache layer on top. Most of the reads done by Vault are for policy objects so there is a large read reduction by using a simple write-through cache.

func NewCache 

func NewCache(b Backend, size int, logger log.Logger) *Cache

NewCache returns a physical cache of the given size. If no size is provided, the default size is used.

func (*Cache) Delete 

func (c *Cache) Delete(ctx context.Context, key string) error

func (*Cache) Get 

func (c *Cache) Get(ctx context.Context, key string) (*Entry, error)

func (*Cache) List 

func (c *Cache) List(ctx context.Context, prefix string) ([]string, error)

func (*Cache) Purge 

func (c *Cache) Purge(ctx context.Context)

Purge is used to clear the cache

func (*Cache) Put 

func (c *Cache) Put(ctx context.Context, entry *Entry) error

func (*Cache) SetEnabled added in v0.9.2 

func (c *Cache) SetEnabled(enabled bool)

SetEnabled is used to toggle whether the cache is on or off. It must be called with true to actually activate the cache after creation.

type EncryptedBlobInfo added in v1.0.0 

type EncryptedBlobInfo struct {
	Ciphertext []byte       `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"`
	IV         []byte       `protobuf:"bytes,2,opt,name=iv,proto3" json:"iv,omitempty"`
	HMAC       []byte       `protobuf:"bytes,3,opt,name=hmac,proto3" json:"hmac,omitempty"`
	Wrapped    bool         `protobuf:"varint,4,opt,name=wrapped,proto3" json:"wrapped,omitempty"`
	KeyInfo    *SealKeyInfo `protobuf:"bytes,5,opt,name=key_info,json=keyInfo,proto3" json:"key_info,omitempty"`
	// Key is the Key value for the entry that corresponds to
	// physical.Entry.Key's value
	Key                  string   `protobuf:"bytes,6,opt,name=key,proto3" json:"key,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*EncryptedBlobInfo) Descriptor added in v1.0.0 

func (*EncryptedBlobInfo) Descriptor() ([]byte, []int)

func (*EncryptedBlobInfo) GetCiphertext added in v1.0.0 

func (m *EncryptedBlobInfo) GetCiphertext() []byte

func (*EncryptedBlobInfo) GetHMAC added in v1.0.0 

func (m *EncryptedBlobInfo) GetHMAC() []byte

func (*EncryptedBlobInfo) GetIV added in v1.0.0 

func (m *EncryptedBlobInfo) GetIV() []byte

func (*EncryptedBlobInfo) GetKey added in v1.0.0 

func (m *EncryptedBlobInfo) GetKey() string

func (*EncryptedBlobInfo) GetKeyInfo added in v1.0.0 

func (m *EncryptedBlobInfo) GetKeyInfo() *SealKeyInfo

func (*EncryptedBlobInfo) GetWrapped added in v1.0.0 

func (m *EncryptedBlobInfo) GetWrapped() bool

func (*EncryptedBlobInfo) ProtoMessage added in v1.0.0 

func (*EncryptedBlobInfo) ProtoMessage()

func (*EncryptedBlobInfo) Reset added in v1.0.0 

func (m *EncryptedBlobInfo) Reset()

func (*EncryptedBlobInfo) String added in v1.0.0 

func (m *EncryptedBlobInfo) String() string

func (*EncryptedBlobInfo) XXX_DiscardUnknown added in v1.0.0 

func (m *EncryptedBlobInfo) XXX_DiscardUnknown()

func (*EncryptedBlobInfo) XXX_Marshal added in v1.0.0 

func (m *EncryptedBlobInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*EncryptedBlobInfo) XXX_Merge added in v1.0.0 

func (m *EncryptedBlobInfo) XXX_Merge(src proto.Message)

func (*EncryptedBlobInfo) XXX_Size added in v1.0.0 

func (m *EncryptedBlobInfo) XXX_Size() int

func (*EncryptedBlobInfo) XXX_Unmarshal added in v1.0.0 

func (m *EncryptedBlobInfo) XXX_Unmarshal(b []byte) error

type Entry 

type Entry struct {
	Key      string
	Value    []byte
	SealWrap bool `json:"seal_wrap,omitempty"`
}

Entry is used to represent data stored by the physical backend

type ErrorInjector added in v0.11.2 

type ErrorInjector struct {
	// contains filtered or unexported fields
}

ErrorInjector is used to add errors into underlying physical requests

func NewErrorInjector added in v0.11.2 

func NewErrorInjector(b Backend, errorPercent int, logger log.Logger) *ErrorInjector

NewErrorInjector returns a wrapped physical backend to inject error

func (*ErrorInjector) Delete added in v0.11.2 

func (e *ErrorInjector) Delete(ctx context.Context, key string) error

func (*ErrorInjector) Get added in v0.11.2 

func (e *ErrorInjector) Get(ctx context.Context, key string) (*Entry, error)

func (*ErrorInjector) List added in v0.11.2 

func (e *ErrorInjector) List(ctx context.Context, prefix string) ([]string, error)

func (*ErrorInjector) Put added in v0.11.2 

func (e *ErrorInjector) Put(ctx context.Context, entry *Entry) error

func (*ErrorInjector) SetErrorPercentage added in v0.11.2 

func (e *ErrorInjector) SetErrorPercentage(p int)

type Factory 

type Factory func(config map[string]string, logger log.Logger) (Backend, error)

Factory is the factory function to create a physical backend.

type HABackend 

type HABackend interface {
	// LockWith is used for mutual exclusion based on the given key.
	LockWith(key, value string) (Lock, error)

	// Whether or not HA functionality is enabled
	HAEnabled() bool
}

HABackend is an extensions to the standard physical backend to support high-availability. Vault only expects to use mutual exclusion to allow multiple instances to act as a hot standby for a leader that services all requests.

type LatencyInjector added in v0.8.3 

type LatencyInjector struct {
	// contains filtered or unexported fields
}

LatencyInjector is used to add latency into underlying physical requests

func NewLatencyInjector added in v0.8.3 

func NewLatencyInjector(b Backend, latency time.Duration, jitter int, logger log.Logger) *LatencyInjector

NewLatencyInjector returns a wrapped physical backend to simulate latency

func (*LatencyInjector) Delete added in v0.8.3 

func (l *LatencyInjector) Delete(ctx context.Context, key string) error

Delete is a latent delete request

func (*LatencyInjector) Get added in v0.8.3 

func (l *LatencyInjector) Get(ctx context.Context, key string) (*Entry, error)

Get is a latent get request

func (*LatencyInjector) List added in v0.8.3 

func (l *LatencyInjector) List(ctx context.Context, prefix string) ([]string, error)

List is a latent list request

func (*LatencyInjector) Put added in v0.8.3 

func (l *LatencyInjector) Put(ctx context.Context, entry *Entry) error

Put is a latent put request

func (*LatencyInjector) SetLatency added in v1.1.0 

func (l *LatencyInjector) SetLatency(latency time.Duration)

type Lock 

type Lock interface {
	// Lock is used to acquire the given lock
	// The stopCh is optional and if closed should interrupt the lock
	// acquisition attempt. The return struct should be closed when
	// leadership is lost.
	Lock(stopCh <-chan struct{}) (<-chan struct{}, error)

	// Unlock is used to release the lock
	Unlock() error

	// Returns the value of the lock and if it is held
	Value() (bool, string, error)
}

type Operation added in v0.7.0 

type Operation string

The operation type

type PerformanceStandbyFunction added in v0.11.2 

type PerformanceStandbyFunction func() bool

type PermitPool added in v0.4.0 

type PermitPool struct {
	// contains filtered or unexported fields
}

PermitPool is used to limit maximum outstanding requests

func NewPermitPool added in v0.4.0 

func NewPermitPool(permits int) *PermitPool

NewPermitPool returns a new permit pool with the provided number of permits

func (*PermitPool) Acquire added in v0.4.0 

func (c *PermitPool) Acquire()

Acquire returns when a permit has been acquired

func (*PermitPool) Release added in v0.4.0 

func (c *PermitPool) Release()

Release returns a permit to the pool

type PhysicalAccess added in v0.9.0 

type PhysicalAccess struct {
	// contains filtered or unexported fields
}

PhysicalAccess is a wrapper around physical.Backend that allows Core to expose its physical storage operations through PhysicalAccess() while restricting the ability to modify Core.physical itself.

func NewPhysicalAccess added in v0.9.0 

func NewPhysicalAccess(physical Backend) *PhysicalAccess

func (*PhysicalAccess) Delete added in v0.9.0 

func (p *PhysicalAccess) Delete(ctx context.Context, key string) error

func (*PhysicalAccess) Get added in v0.9.0 

func (p *PhysicalAccess) Get(ctx context.Context, key string) (*Entry, error)

func (*PhysicalAccess) List added in v0.9.0 

func (p *PhysicalAccess) List(ctx context.Context, prefix string) ([]string, error)

func (*PhysicalAccess) Purge added in v0.9.0 

func (p *PhysicalAccess) Purge(ctx context.Context)

func (*PhysicalAccess) Put added in v0.9.0 

func (p *PhysicalAccess) Put(ctx context.Context, entry *Entry) error

type PseudoTransactional added in v0.7.0 

type PseudoTransactional interface {
	// An internal function should do no locking or permit pool acquisition.
	// Depending on the backend and if it natively supports transactions, these
	// may simply chain to the normal backend functions.
	GetInternal(context.Context, string) (*Entry, error)
	PutInternal(context.Context, *Entry) error
	DeleteInternal(context.Context, string) error
}

type RedirectDetect added in v0.6.1 

type RedirectDetect interface {
	// DetectHostAddr is used to detect the host address
	DetectHostAddr() (string, error)
}

RedirectDetect is an optional interface that an HABackend can implement. If they do, a redirect address can be automatically detected.

type SealKeyInfo added in v1.0.0 

type SealKeyInfo struct {
	// Mechanism is the method used by the seal to encrypt and sign the
	// data as defined by the seal.
	Mechanism     uint64 `protobuf:"varint,1,opt,name=Mechanism,proto3" json:"Mechanism,omitempty"`
	HMACMechanism uint64 `protobuf:"varint,2,opt,name=HMACMechanism,proto3" json:"HMACMechanism,omitempty"`
	// This is an opaque ID used by the seal to identify the specific
	// key to use as defined by the seal.  This could be a version, key
	// label, or something else.
	KeyID     string `protobuf:"bytes,3,opt,name=KeyID,proto3" json:"KeyID,omitempty"`
	HMACKeyID string `protobuf:"bytes,4,opt,name=HMACKeyID,proto3" json:"HMACKeyID,omitempty"`
	// These value are used when generating our own data encryption keys
	// and encrypting them using the autoseal
	WrappedKey []byte `protobuf:"bytes,5,opt,name=WrappedKey,proto3" json:"WrappedKey,omitempty"`
	// Mechanism specific flags
	Flags                uint64   `protobuf:"varint,6,opt,name=Flags,proto3" json:"Flags,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

SealKeyInfo contains information regarding the seal used to encrypt the entry.

func (*SealKeyInfo) Descriptor added in v1.0.0 

func (*SealKeyInfo) Descriptor() ([]byte, []int)

func (*SealKeyInfo) GetFlags added in v1.0.0 

func (m *SealKeyInfo) GetFlags() uint64

func (*SealKeyInfo) GetHMACKeyID added in v1.0.0 

func (m *SealKeyInfo) GetHMACKeyID() string

func (*SealKeyInfo) GetHMACMechanism added in v1.0.0 

func (m *SealKeyInfo) GetHMACMechanism() uint64

func (*SealKeyInfo) GetKeyID added in v1.0.0 

func (m *SealKeyInfo) GetKeyID() string

func (*SealKeyInfo) GetMechanism added in v1.0.0 

func (m *SealKeyInfo) GetMechanism() uint64

func (*SealKeyInfo) GetWrappedKey added in v1.0.0 

func (m *SealKeyInfo) GetWrappedKey() []byte

func (*SealKeyInfo) ProtoMessage added in v1.0.0 

func (*SealKeyInfo) ProtoMessage()

func (*SealKeyInfo) Reset added in v1.0.0 

func (m *SealKeyInfo) Reset()

func (*SealKeyInfo) String added in v1.0.0 

func (m *SealKeyInfo) String() string

func (*SealKeyInfo) XXX_DiscardUnknown added in v1.0.0 

func (m *SealKeyInfo) XXX_DiscardUnknown()

func (*SealKeyInfo) XXX_Marshal added in v1.0.0 

func (m *SealKeyInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*SealKeyInfo) XXX_Merge added in v1.0.0 

func (m *SealKeyInfo) XXX_Merge(src proto.Message)

func (*SealKeyInfo) XXX_Size added in v1.0.0 

func (m *SealKeyInfo) XXX_Size() int

func (*SealKeyInfo) XXX_Unmarshal added in v1.0.0 

func (m *SealKeyInfo) XXX_Unmarshal(b []byte) error

type SealedFunction added in v0.8.0 

type SealedFunction func() bool

type ServiceDiscovery added in v0.6.0 

type ServiceDiscovery interface {
	// NotifyActiveStateChange is used by Core to notify a backend
	// capable of ServiceDiscovery that this Vault instance has changed
	// its status to active or standby.
	NotifyActiveStateChange() error

	// NotifySealedStateChange is used by Core to notify a backend
	// capable of ServiceDiscovery that Vault has changed its Sealed
	// status to sealed or unsealed.
	NotifySealedStateChange() error

	// NotifyPerformanceStandbyStateChange is used by Core to notify a backend
	// capable of ServiceDiscovery that this Vault instance has changed it
	// status to performance standby or standby.
	NotifyPerformanceStandbyStateChange() error

	// Run executes any background service discovery tasks until the
	// shutdown channel is closed.
	RunServiceDiscovery(waitGroup *sync.WaitGroup, shutdownCh ShutdownChannel, redirectAddr string, activeFunc ActiveFunction, sealedFunc SealedFunction, perfStandbyFunc PerformanceStandbyFunction) error
}

ServiceDiscovery is an optional interface that an HABackend can implement. If they do, the state of a backend is advertised to the service discovery network.

type ShutdownChannel added in v0.6.0 

type ShutdownChannel chan struct{}

ShutdownSignal

type StorageEncoding added in v1.0.0 

type StorageEncoding struct {
	Backend
}

StorageEncoding is used to add errors into underlying physical requests

func (*StorageEncoding) Delete added in v1.0.0 

func (e *StorageEncoding) Delete(ctx context.Context, key string) error

func (*StorageEncoding) Purge added in v1.0.0 

func (e *StorageEncoding) Purge(ctx context.Context)

func (*StorageEncoding) Put added in v1.0.0 

func (e *StorageEncoding) Put(ctx context.Context, entry *Entry) error

func (*StorageEncoding) SetEnabled added in v1.0.0 

func (e *StorageEncoding) SetEnabled(enabled bool)

type ToggleablePurgemonster added in v0.9.2 

type ToggleablePurgemonster interface {
	Purge(ctx context.Context)
	SetEnabled(bool)
}

ToggleablePurgemonster is an interface for backends that can toggle on or off special functionality and/or support purging. This is only used for the cache, don't use it for other things.

type Transactional added in v0.7.0 

type Transactional interface {
	// The function to run a transaction
	Transaction(context.Context, []*TxnEntry) error
}

Transactional is an optional interface for backends that support doing transactional updates of multiple keys. This is required for some features such as replication.

type TransactionalBackend added in v0.11.2 

type TransactionalBackend interface {
	Backend
	Transactional
}

type TransactionalCache added in v0.8.0 

type TransactionalCache struct {
	*Cache
	Transactional
}

TransactionalCache is a Cache that wraps the physical that is transactional

func NewTransactionalCache added in v0.8.0 

func NewTransactionalCache(b Backend, size int, logger log.Logger) *TransactionalCache

func (*TransactionalCache) Transaction added in v0.8.0 

func (c *TransactionalCache) Transaction(ctx context.Context, txns []*TxnEntry) error

type TransactionalErrorInjector added in v0.11.2 

type TransactionalErrorInjector struct {
	*ErrorInjector
	Transactional
}

TransactionalErrorInjector is the transactional version of the error injector

func NewTransactionalErrorInjector added in v0.11.2 

func NewTransactionalErrorInjector(b Backend, errorPercent int, logger log.Logger) *TransactionalErrorInjector

NewTransactionalErrorInjector creates a new transactional ErrorInjector

func (*TransactionalErrorInjector) Transaction added in v0.11.2 

func (e *TransactionalErrorInjector) Transaction(ctx context.Context, txns []*TxnEntry) error

type TransactionalLatencyInjector added in v0.8.3 

type TransactionalLatencyInjector struct {
	*LatencyInjector
	Transactional
}

TransactionalLatencyInjector is the transactional version of the latency injector

func NewTransactionalLatencyInjector added in v0.8.3 

func NewTransactionalLatencyInjector(b Backend, latency time.Duration, jitter int, logger log.Logger) *TransactionalLatencyInjector

NewTransactionalLatencyInjector creates a new transactional LatencyInjector

func (*TransactionalLatencyInjector) Transaction added in v0.8.3 

func (l *TransactionalLatencyInjector) Transaction(ctx context.Context, txns []*TxnEntry) error

Transaction is a latent transaction request

type TransactionalStorageEncoding added in v1.0.0 

type TransactionalStorageEncoding struct {
	*StorageEncoding
	Transactional
}

TransactionalStorageEncoding is the transactional version of the error injector

func (*TransactionalStorageEncoding) Transaction added in v1.0.0 

func (e *TransactionalStorageEncoding) Transaction(ctx context.Context, txns []*TxnEntry) error

type TxnEntry added in v0.7.0 

type TxnEntry struct {
	Operation Operation
	Entry     *Entry
}

TxnEntry is an operation that takes atomically as part of a transactional update. Only supported by Transactional backends.

func SetupTestingTransactions added in v0.8.0 

func SetupTestingTransactions(t testing.TB, b Backend) []*TxnEntry

type View added in v0.8.0 

type View struct {
	// contains filtered or unexported fields
}

View represents a prefixed view of a physical backend

func NewView added in v0.8.0 

func NewView(backend Backend, prefix string) *View

NewView takes an underlying physical backend and returns a view of it that can only operate with the given prefix.

func (*View) Delete added in v0.8.0 

func (v *View) Delete(ctx context.Context, key string) error

Delete the entry from the prefix view

func (*View) Get added in v0.8.0 

func (v *View) Get(ctx context.Context, key string) (*Entry, error)

Get the key of the prefixed view

func (*View) List added in v0.8.0 

func (v *View) List(ctx context.Context, prefix string) ([]string, error)

List the contents of the prefixed view

func (*View) Put added in v0.8.0 

func (v *View) Put(ctx context.Context, entry *Entry) error

Put the entry into the prefix view

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.