Documentation

Index

Constants

View Source
const (
	DeleteOperation Operation = "delete"
	GetOperation              = "get"
	ListOperation             = "list"
	PutOperation              = "put"
)
View Source
const (
	// DefaultCacheSize is used if no cache size is specified for NewCache
	DefaultCacheSize = 128 * 1024
)
View Source
const (
	// DefaultErrorPercent is used to determin how often we error
	DefaultErrorPercent = 20
)
View Source
const (
	// DefaultJitterPercent is used if no cache size is specified for NewCache
	DefaultJitterPercent = 20
)
View Source
const DefaultParallelOperations = 128

Variables

View Source
var ErrNonPrintable = errors.New("key contains non-printable characters")
View Source
var ErrNonUTF8 = errors.New("key contains invalid UTF-8 characters")
View Source
var (
	ErrRelativePath = errors.New("relative paths not supported")
)

Functions

func ExerciseBackend

func ExerciseBackend(t testing.TB, b Backend)

func ExerciseBackend_ListPrefix

func ExerciseBackend_ListPrefix(t testing.TB, b Backend)

func ExerciseHABackend

func ExerciseHABackend(t testing.TB, b HABackend, b2 HABackend)

func ExerciseTransactionalBackend

func ExerciseTransactionalBackend(t testing.TB, b Backend)

func GenericTransactionHandler

func GenericTransactionHandler(ctx context.Context, t PseudoTransactional, txns []*TxnEntry) (retErr error)

    Implements the transaction interface

    func Prefixes

    func Prefixes(s string) []string

      Prefixes is a shared helper function returns all parent 'folders' for a given vault key. e.g. for 'foo/bar/baz', it returns ['foo', 'foo/bar']

      Types

      type ActiveFunction

      type ActiveFunction func() bool

        Callback signatures for RunServiceDiscovery

        type Backend

        type Backend interface {
        	// Put is used to insert or update an entry
        	Put(ctx context.Context, entry *Entry) error
        
        	// Get is used to fetch an entry
        	Get(ctx context.Context, key string) (*Entry, error)
        
        	// Delete is used to permanently delete an entry
        	Delete(ctx context.Context, key string) error
        
        	// List is used to list all the keys under a given
        	// prefix, up to the next prefix.
        	List(ctx context.Context, prefix string) ([]string, error)
        }

          Backend is the interface required for a physical backend. A physical backend is used to durably store data outside of Vault. As such, it is completely untrusted, and is only accessed via a security barrier. The backends must represent keys in a hierarchical manner. All methods are expected to be thread safe.

          func NewStorageEncoding

          func NewStorageEncoding(b Backend) Backend

            NewStorageEncoding returns a wrapped physical backend and verifies the key encoding

            type Cache

            type Cache struct {
            	// contains filtered or unexported fields
            }

              Cache is used to wrap an underlying physical backend and provide an LRU cache layer on top. Most of the reads done by Vault are for policy objects so there is a large read reduction by using a simple write-through cache.

              func NewCache

              func NewCache(b Backend, size int, logger log.Logger) *Cache

                NewCache returns a physical cache of the given size. If no size is provided, the default size is used.

                func (*Cache) Delete

                func (c *Cache) Delete(ctx context.Context, key string) error

                func (*Cache) Get

                func (c *Cache) Get(ctx context.Context, key string) (*Entry, error)

                func (*Cache) List

                func (c *Cache) List(ctx context.Context, prefix string) ([]string, error)

                func (*Cache) Purge

                func (c *Cache) Purge(ctx context.Context)

                  Purge is used to clear the cache

                  func (*Cache) Put

                  func (c *Cache) Put(ctx context.Context, entry *Entry) error

                  func (*Cache) SetEnabled

                  func (c *Cache) SetEnabled(enabled bool)

                    SetEnabled is used to toggle whether the cache is on or off. It must be called with true to actually activate the cache after creation.

                    type EncryptedBlobInfo

                    type EncryptedBlobInfo struct {
                    	Ciphertext []byte       `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"`
                    	IV         []byte       `protobuf:"bytes,2,opt,name=iv,proto3" json:"iv,omitempty"`
                    	HMAC       []byte       `protobuf:"bytes,3,opt,name=hmac,proto3" json:"hmac,omitempty"`
                    	Wrapped    bool         `protobuf:"varint,4,opt,name=wrapped,proto3" json:"wrapped,omitempty"`
                    	KeyInfo    *SealKeyInfo `protobuf:"bytes,5,opt,name=key_info,json=keyInfo,proto3" json:"key_info,omitempty"`
                    	// Key is the Key value for the entry that corresponds to
                    	// physical.Entry.Key's value
                    	Key                  string   `protobuf:"bytes,6,opt,name=key,proto3" json:"key,omitempty"`
                    	XXX_NoUnkeyedLiteral struct{} `json:"-"`
                    	XXX_unrecognized     []byte   `json:"-"`
                    	XXX_sizecache        int32    `json:"-"`
                    }

                    func (*EncryptedBlobInfo) Descriptor

                    func (*EncryptedBlobInfo) Descriptor() ([]byte, []int)

                    func (*EncryptedBlobInfo) GetCiphertext

                    func (m *EncryptedBlobInfo) GetCiphertext() []byte

                    func (*EncryptedBlobInfo) GetHMAC

                    func (m *EncryptedBlobInfo) GetHMAC() []byte

                    func (*EncryptedBlobInfo) GetIV

                    func (m *EncryptedBlobInfo) GetIV() []byte

                    func (*EncryptedBlobInfo) GetKey

                    func (m *EncryptedBlobInfo) GetKey() string

                    func (*EncryptedBlobInfo) GetKeyInfo

                    func (m *EncryptedBlobInfo) GetKeyInfo() *SealKeyInfo

                    func (*EncryptedBlobInfo) GetWrapped

                    func (m *EncryptedBlobInfo) GetWrapped() bool

                    func (*EncryptedBlobInfo) ProtoMessage

                    func (*EncryptedBlobInfo) ProtoMessage()

                    func (*EncryptedBlobInfo) Reset

                    func (m *EncryptedBlobInfo) Reset()

                    func (*EncryptedBlobInfo) String

                    func (m *EncryptedBlobInfo) String() string

                    func (*EncryptedBlobInfo) XXX_DiscardUnknown

                    func (m *EncryptedBlobInfo) XXX_DiscardUnknown()

                    func (*EncryptedBlobInfo) XXX_Marshal

                    func (m *EncryptedBlobInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

                    func (*EncryptedBlobInfo) XXX_Merge

                    func (m *EncryptedBlobInfo) XXX_Merge(src proto.Message)

                    func (*EncryptedBlobInfo) XXX_Size

                    func (m *EncryptedBlobInfo) XXX_Size() int

                    func (*EncryptedBlobInfo) XXX_Unmarshal

                    func (m *EncryptedBlobInfo) XXX_Unmarshal(b []byte) error

                    type Entry

                    type Entry struct {
                    	Key      string
                    	Value    []byte
                    	SealWrap bool `json:"seal_wrap,omitempty"`
                    }

                      Entry is used to represent data stored by the physical backend

                      type ErrorInjector

                      type ErrorInjector struct {
                      	// contains filtered or unexported fields
                      }

                        ErrorInjector is used to add errors into underlying physical requests

                        func NewErrorInjector

                        func NewErrorInjector(b Backend, errorPercent int, logger log.Logger) *ErrorInjector

                          NewErrorInjector returns a wrapped physical backend to inject error

                          func (*ErrorInjector) Delete

                          func (e *ErrorInjector) Delete(ctx context.Context, key string) error

                          func (*ErrorInjector) Get

                          func (e *ErrorInjector) Get(ctx context.Context, key string) (*Entry, error)

                          func (*ErrorInjector) List

                          func (e *ErrorInjector) List(ctx context.Context, prefix string) ([]string, error)

                          func (*ErrorInjector) Put

                          func (e *ErrorInjector) Put(ctx context.Context, entry *Entry) error

                          func (*ErrorInjector) SetErrorPercentage

                          func (e *ErrorInjector) SetErrorPercentage(p int)

                          type Factory

                          type Factory func(config map[string]string, logger log.Logger) (Backend, error)

                            Factory is the factory function to create a physical backend.

                            type HABackend

                            type HABackend interface {
                            	// LockWith is used for mutual exclusion based on the given key.
                            	LockWith(key, value string) (Lock, error)
                            
                            	// Whether or not HA functionality is enabled
                            	HAEnabled() bool
                            }

                              HABackend is an extensions to the standard physical backend to support high-availability. Vault only expects to use mutual exclusion to allow multiple instances to act as a hot standby for a leader that services all requests.

                              type LatencyInjector

                              type LatencyInjector struct {
                              	// contains filtered or unexported fields
                              }

                                LatencyInjector is used to add latency into underlying physical requests

                                func NewLatencyInjector

                                func NewLatencyInjector(b Backend, latency time.Duration, jitter int, logger log.Logger) *LatencyInjector

                                  NewLatencyInjector returns a wrapped physical backend to simulate latency

                                  func (*LatencyInjector) Delete

                                  func (l *LatencyInjector) Delete(ctx context.Context, key string) error

                                    Delete is a latent delete request

                                    func (*LatencyInjector) Get

                                    func (l *LatencyInjector) Get(ctx context.Context, key string) (*Entry, error)

                                      Get is a latent get request

                                      func (*LatencyInjector) List

                                      func (l *LatencyInjector) List(ctx context.Context, prefix string) ([]string, error)

                                        List is a latent list request

                                        func (*LatencyInjector) Put

                                        func (l *LatencyInjector) Put(ctx context.Context, entry *Entry) error

                                          Put is a latent put request

                                          func (*LatencyInjector) SetLatency

                                          func (l *LatencyInjector) SetLatency(latency time.Duration)

                                          type Lock

                                          type Lock interface {
                                          	// Lock is used to acquire the given lock
                                          	// The stopCh is optional and if closed should interrupt the lock
                                          	// acquisition attempt. The return struct should be closed when
                                          	// leadership is lost.
                                          	Lock(stopCh <-chan struct{}) (<-chan struct{}, error)
                                          
                                          	// Unlock is used to release the lock
                                          	Unlock() error
                                          
                                          	// Returns the value of the lock and if it is held
                                          	Value() (bool, string, error)
                                          }

                                          type Operation

                                          type Operation string

                                            The operation type

                                            type PerformanceStandbyFunction

                                            type PerformanceStandbyFunction func() bool

                                            type PermitPool

                                            type PermitPool struct {
                                            	// contains filtered or unexported fields
                                            }

                                              PermitPool is used to limit maximum outstanding requests

                                              func NewPermitPool

                                              func NewPermitPool(permits int) *PermitPool

                                                NewPermitPool returns a new permit pool with the provided number of permits

                                                func (*PermitPool) Acquire

                                                func (c *PermitPool) Acquire()

                                                  Acquire returns when a permit has been acquired

                                                  func (*PermitPool) Release

                                                  func (c *PermitPool) Release()

                                                    Release returns a permit to the pool

                                                    type PhysicalAccess

                                                    type PhysicalAccess struct {
                                                    	// contains filtered or unexported fields
                                                    }

                                                      PhysicalAccess is a wrapper around physical.Backend that allows Core to expose its physical storage operations through PhysicalAccess() while restricting the ability to modify Core.physical itself.

                                                      func NewPhysicalAccess

                                                      func NewPhysicalAccess(physical Backend) *PhysicalAccess

                                                      func (*PhysicalAccess) Delete

                                                      func (p *PhysicalAccess) Delete(ctx context.Context, key string) error

                                                      func (*PhysicalAccess) Get

                                                      func (p *PhysicalAccess) Get(ctx context.Context, key string) (*Entry, error)

                                                      func (*PhysicalAccess) List

                                                      func (p *PhysicalAccess) List(ctx context.Context, prefix string) ([]string, error)

                                                      func (*PhysicalAccess) Purge

                                                      func (p *PhysicalAccess) Purge(ctx context.Context)

                                                      func (*PhysicalAccess) Put

                                                      func (p *PhysicalAccess) Put(ctx context.Context, entry *Entry) error

                                                      type PseudoTransactional

                                                      type PseudoTransactional interface {
                                                      	// An internal function should do no locking or permit pool acquisition.
                                                      	// Depending on the backend and if it natively supports transactions, these
                                                      	// may simply chain to the normal backend functions.
                                                      	GetInternal(context.Context, string) (*Entry, error)
                                                      	PutInternal(context.Context, *Entry) error
                                                      	DeleteInternal(context.Context, string) error
                                                      }

                                                      type RedirectDetect

                                                      type RedirectDetect interface {
                                                      	// DetectHostAddr is used to detect the host address
                                                      	DetectHostAddr() (string, error)
                                                      }

                                                        RedirectDetect is an optional interface that an HABackend can implement. If they do, a redirect address can be automatically detected.

                                                        type SealKeyInfo

                                                        type SealKeyInfo struct {
                                                        	// Mechanism is the method used by the seal to encrypt and sign the
                                                        	// data as defined by the seal.
                                                        	Mechanism     uint64 `protobuf:"varint,1,opt,name=Mechanism,proto3" json:"Mechanism,omitempty"`
                                                        	HMACMechanism uint64 `protobuf:"varint,2,opt,name=HMACMechanism,proto3" json:"HMACMechanism,omitempty"`
                                                        	// This is an opaque ID used by the seal to identify the specific
                                                        	// key to use as defined by the seal.  This could be a version, key
                                                        	// label, or something else.
                                                        	KeyID     string `protobuf:"bytes,3,opt,name=KeyID,proto3" json:"KeyID,omitempty"`
                                                        	HMACKeyID string `protobuf:"bytes,4,opt,name=HMACKeyID,proto3" json:"HMACKeyID,omitempty"`
                                                        	// These value are used when generating our own data encryption keys
                                                        	// and encrypting them using the autoseal
                                                        	WrappedKey []byte `protobuf:"bytes,5,opt,name=WrappedKey,proto3" json:"WrappedKey,omitempty"`
                                                        	// Mechanism specific flags
                                                        	Flags                uint64   `protobuf:"varint,6,opt,name=Flags,proto3" json:"Flags,omitempty"`
                                                        	XXX_NoUnkeyedLiteral struct{} `json:"-"`
                                                        	XXX_unrecognized     []byte   `json:"-"`
                                                        	XXX_sizecache        int32    `json:"-"`
                                                        }

                                                          SealKeyInfo contains information regarding the seal used to encrypt the entry.

                                                          func (*SealKeyInfo) Descriptor

                                                          func (*SealKeyInfo) Descriptor() ([]byte, []int)

                                                          func (*SealKeyInfo) GetFlags

                                                          func (m *SealKeyInfo) GetFlags() uint64

                                                          func (*SealKeyInfo) GetHMACKeyID

                                                          func (m *SealKeyInfo) GetHMACKeyID() string

                                                          func (*SealKeyInfo) GetHMACMechanism

                                                          func (m *SealKeyInfo) GetHMACMechanism() uint64

                                                          func (*SealKeyInfo) GetKeyID

                                                          func (m *SealKeyInfo) GetKeyID() string

                                                          func (*SealKeyInfo) GetMechanism

                                                          func (m *SealKeyInfo) GetMechanism() uint64

                                                          func (*SealKeyInfo) GetWrappedKey

                                                          func (m *SealKeyInfo) GetWrappedKey() []byte

                                                          func (*SealKeyInfo) ProtoMessage

                                                          func (*SealKeyInfo) ProtoMessage()

                                                          func (*SealKeyInfo) Reset

                                                          func (m *SealKeyInfo) Reset()

                                                          func (*SealKeyInfo) String

                                                          func (m *SealKeyInfo) String() string

                                                          func (*SealKeyInfo) XXX_DiscardUnknown

                                                          func (m *SealKeyInfo) XXX_DiscardUnknown()

                                                          func (*SealKeyInfo) XXX_Marshal

                                                          func (m *SealKeyInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

                                                          func (*SealKeyInfo) XXX_Merge

                                                          func (m *SealKeyInfo) XXX_Merge(src proto.Message)

                                                          func (*SealKeyInfo) XXX_Size

                                                          func (m *SealKeyInfo) XXX_Size() int

                                                          func (*SealKeyInfo) XXX_Unmarshal

                                                          func (m *SealKeyInfo) XXX_Unmarshal(b []byte) error

                                                          type SealedFunction

                                                          type SealedFunction func() bool

                                                          type ServiceDiscovery

                                                          type ServiceDiscovery interface {
                                                          	// NotifyActiveStateChange is used by Core to notify a backend
                                                          	// capable of ServiceDiscovery that this Vault instance has changed
                                                          	// its status to active or standby.
                                                          	NotifyActiveStateChange() error
                                                          
                                                          	// NotifySealedStateChange is used by Core to notify a backend
                                                          	// capable of ServiceDiscovery that Vault has changed its Sealed
                                                          	// status to sealed or unsealed.
                                                          	NotifySealedStateChange() error
                                                          
                                                          	// NotifyPerformanceStandbyStateChange is used by Core to notify a backend
                                                          	// capable of ServiceDiscovery that this Vault instance has changed it
                                                          	// status to performance standby or standby.
                                                          	NotifyPerformanceStandbyStateChange() error
                                                          
                                                          	// Run executes any background service discovery tasks until the
                                                          	// shutdown channel is closed.
                                                          	RunServiceDiscovery(waitGroup *sync.WaitGroup, shutdownCh ShutdownChannel, redirectAddr string, activeFunc ActiveFunction, sealedFunc SealedFunction, perfStandbyFunc PerformanceStandbyFunction) error
                                                          }

                                                            ServiceDiscovery is an optional interface that an HABackend can implement. If they do, the state of a backend is advertised to the service discovery network.

                                                            type ShutdownChannel

                                                            type ShutdownChannel chan struct{}

                                                              ShutdownSignal

                                                              type StorageEncoding

                                                              type StorageEncoding struct {
                                                              	Backend
                                                              }

                                                                StorageEncoding is used to add errors into underlying physical requests

                                                                func (*StorageEncoding) Delete

                                                                func (e *StorageEncoding) Delete(ctx context.Context, key string) error

                                                                func (*StorageEncoding) Purge

                                                                func (e *StorageEncoding) Purge(ctx context.Context)

                                                                func (*StorageEncoding) Put

                                                                func (e *StorageEncoding) Put(ctx context.Context, entry *Entry) error

                                                                func (*StorageEncoding) SetEnabled

                                                                func (e *StorageEncoding) SetEnabled(enabled bool)

                                                                type ToggleablePurgemonster

                                                                type ToggleablePurgemonster interface {
                                                                	Purge(ctx context.Context)
                                                                	SetEnabled(bool)
                                                                }

                                                                  ToggleablePurgemonster is an interface for backends that can toggle on or off special functionality and/or support purging. This is only used for the cache, don't use it for other things.

                                                                  type Transactional

                                                                  type Transactional interface {
                                                                  	// The function to run a transaction
                                                                  	Transaction(context.Context, []*TxnEntry) error
                                                                  }

                                                                    Transactional is an optional interface for backends that support doing transactional updates of multiple keys. This is required for some features such as replication.

                                                                    type TransactionalBackend

                                                                    type TransactionalBackend interface {
                                                                    	Backend
                                                                    	Transactional
                                                                    }

                                                                    type TransactionalCache

                                                                    type TransactionalCache struct {
                                                                    	*Cache
                                                                    	Transactional
                                                                    }

                                                                      TransactionalCache is a Cache that wraps the physical that is transactional

                                                                      func NewTransactionalCache

                                                                      func NewTransactionalCache(b Backend, size int, logger log.Logger) *TransactionalCache

                                                                      func (*TransactionalCache) Transaction

                                                                      func (c *TransactionalCache) Transaction(ctx context.Context, txns []*TxnEntry) error

                                                                      type TransactionalErrorInjector

                                                                      type TransactionalErrorInjector struct {
                                                                      	*ErrorInjector
                                                                      	Transactional
                                                                      }

                                                                        TransactionalErrorInjector is the transactional version of the error injector

                                                                        func NewTransactionalErrorInjector

                                                                        func NewTransactionalErrorInjector(b Backend, errorPercent int, logger log.Logger) *TransactionalErrorInjector

                                                                          NewTransactionalErrorInjector creates a new transactional ErrorInjector

                                                                          func (*TransactionalErrorInjector) Transaction

                                                                          func (e *TransactionalErrorInjector) Transaction(ctx context.Context, txns []*TxnEntry) error

                                                                          type TransactionalLatencyInjector

                                                                          type TransactionalLatencyInjector struct {
                                                                          	*LatencyInjector
                                                                          	Transactional
                                                                          }

                                                                            TransactionalLatencyInjector is the transactional version of the latency injector

                                                                            func NewTransactionalLatencyInjector

                                                                            func NewTransactionalLatencyInjector(b Backend, latency time.Duration, jitter int, logger log.Logger) *TransactionalLatencyInjector

                                                                              NewTransactionalLatencyInjector creates a new transactional LatencyInjector

                                                                              func (*TransactionalLatencyInjector) Transaction

                                                                              func (l *TransactionalLatencyInjector) Transaction(ctx context.Context, txns []*TxnEntry) error

                                                                                Transaction is a latent transaction request

                                                                                type TransactionalStorageEncoding

                                                                                type TransactionalStorageEncoding struct {
                                                                                	*StorageEncoding
                                                                                	Transactional
                                                                                }

                                                                                  TransactionalStorageEncoding is the transactional version of the error injector

                                                                                  func (*TransactionalStorageEncoding) Transaction

                                                                                  func (e *TransactionalStorageEncoding) Transaction(ctx context.Context, txns []*TxnEntry) error

                                                                                  type TxnEntry

                                                                                  type TxnEntry struct {
                                                                                  	Operation Operation
                                                                                  	Entry     *Entry
                                                                                  }

                                                                                    TxnEntry is an operation that takes atomically as part of a transactional update. Only supported by Transactional backends.

                                                                                    func SetupTestingTransactions

                                                                                    func SetupTestingTransactions(t testing.TB, b Backend) []*TxnEntry

                                                                                    type View

                                                                                    type View struct {
                                                                                    	// contains filtered or unexported fields
                                                                                    }

                                                                                      View represents a prefixed view of a physical backend

                                                                                      func NewView

                                                                                      func NewView(backend Backend, prefix string) *View

                                                                                        NewView takes an underlying physical backend and returns a view of it that can only operate with the given prefix.

                                                                                        func (*View) Delete

                                                                                        func (v *View) Delete(ctx context.Context, key string) error

                                                                                          Delete the entry from the prefix view

                                                                                          func (*View) Get

                                                                                          func (v *View) Get(ctx context.Context, key string) (*Entry, error)

                                                                                            Get the key of the prefixed view

                                                                                            func (*View) List

                                                                                            func (v *View) List(ctx context.Context, prefix string) ([]string, error)

                                                                                              List the contents of the prefixed view

                                                                                              func (*View) Put

                                                                                              func (v *View) Put(ctx context.Context, entry *Entry) error

                                                                                                Put the entry into the prefix view