conjurapi

package
v0.11.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 14, 2023 License: Apache-2.0 Imports: 21 Imported by: 30

Documentation

Index

Constants

View Source 
const (
	CredentialStorageFile    = "file"
	CredentialStorageKeyring = "keyring"
	CredentialStorageNone    = "none"
)

Variables

This section is empty.

Functions

func LoginPairFromEnv 

func LoginPairFromEnv() (*authn.LoginPair, error)

func PurgeCredentials added in v0.11.0 

func PurgeCredentials(config Config) error

PurgeCredentials purges credentials from the credential storage indicated by the configuration.

func ReadResponseBody added in v0.3.0 

func ReadResponseBody(response io.ReadCloser) ([]byte, error)

ReadResponseBody fully reads a response and closes it.

Types

type Authenticator 

type Authenticator interface {
	RefreshToken() ([]byte, error)
	NeedsTokenRefresh() bool
}

type Client 

type Client struct {
	// contains filtered or unexported fields
}

func NewClient added in v0.11.0 

func NewClient(config Config) (*Client, error)

func NewClientFromEnvironment 

func NewClientFromEnvironment(config Config) (*Client, error)

TODO: Create a version of this function for creating an authenticator from environment

func NewClientFromJwt added in v0.11.0 

func NewClientFromJwt(config Config, authnJwtServiceID string) (*Client, error)

func NewClientFromKey 

func NewClientFromKey(config Config, loginPair authn.LoginPair) (*Client, error)

func NewClientFromOidcCode added in v0.11.0 

func NewClientFromOidcCode(config Config, code, nonce, code_verifier string) (*Client, error)

func NewClientFromToken 

func NewClientFromToken(config Config, token string) (*Client, error)

func NewClientFromTokenFile 

func NewClientFromTokenFile(config Config, tokenFile string) (*Client, error)

func (*Client) AddSecret 

func (c *Client) AddSecret(variableID string, secretValue string) error

AddSecret adds a secret value to a variable.

The authenticated user must have update privilege on the variable.

func (*Client) AddSecretRequest added in v0.11.0 

func (c *Client) AddSecretRequest(variableID, secretValue string) (*http.Request, error)

func (*Client) Authenticate 

func (c *Client) Authenticate(loginPair authn.LoginPair) ([]byte, error)

Authenticate obtains a new access token.

func (*Client) AuthenticateReader added in v0.3.0 

func (c *Client) AuthenticateReader(loginPair authn.LoginPair) (io.ReadCloser, error)

AuthenticateReader obtains a new access token and returns it as a data stream.

func (*Client) AuthenticateRequest added in v0.11.0 

func (c *Client) AuthenticateRequest(loginPair authn.LoginPair) (*http.Request, error)

func (*Client) ChangeCurrentUserPassword added in v0.11.0 

func (c *Client) ChangeCurrentUserPassword(newPassword string) ([]byte, error)

func (*Client) ChangeUserPassword added in v0.11.0 

func (c *Client) ChangeUserPassword(username string, password string, newPassword string) ([]byte, error)

func (*Client) ChangeUserPasswordRequest added in v0.11.0 

func (c *Client) ChangeUserPasswordRequest(username string, password string, newPassword string) (*http.Request, error)

func (*Client) CheckPermission added in v0.3.0 

func (c *Client) CheckPermission(resourceID string, privilege string) (bool, error)

CheckPermission determines whether the authenticated user has a specified privilege on a resource.

func (*Client) CheckPermissionForRole added in v0.11.0 

func (c *Client) CheckPermissionForRole(resourceID string, roleID string, privilege string) (bool, error)

CheckPermissionForRole determines whether the provided role has a specific privilege on a resource.

func (*Client) CheckPermissionForRoleRequest added in v0.11.0 

func (c *Client) CheckPermissionForRoleRequest(resourceID, roleID, privilege string) (*http.Request, error)

CheckPermissionForRoleRequest crafts an HTTP request to Conjur's /resource endpoint to check if a given role has the given privilege on the given resourceID.

func (*Client) CheckPermissionRequest added in v0.11.0 

func (c *Client) CheckPermissionRequest(resourceID, privilege string) (*http.Request, error)

CheckPermissionRequest crafts an HTTP request to Conjur's /resource endpoint to check if the authenticated user has the given privilege on the given resourceID.

func (*Client) CreateHost added in v0.11.0 

func (c *Client) CreateHost(id string, token string) (HostFactoryHostResponse, error)

func (*Client) CreateHostRequest added in v0.11.0 

func (c *Client) CreateHostRequest(body string, token string) (*http.Request, error)

func (*Client) CreateToken added in v0.11.0 

func (c *Client) CreateToken(durationStr string, hostFactory string, cidrs []string, count int) ([]HostFactoryTokenResponse, error)

func (*Client) CreateTokenRequest added in v0.11.0 

func (c *Client) CreateTokenRequest(body string) (*http.Request, error)

func (*Client) DeleteToken added in v0.11.0 

func (c *Client) DeleteToken(token string) error

func (*Client) DeleteTokenRequest added in v0.11.0 

func (c *Client) DeleteTokenRequest(token string) (*http.Request, error)

func (*Client) ForceRefreshToken added in v0.11.0 

func (c *Client) ForceRefreshToken() error

func (*Client) GetAuthenticator added in v0.11.0 

func (c *Client) GetAuthenticator() Authenticator

func (*Client) GetConfig added in v0.5.0 

func (c *Client) GetConfig() Config

func (*Client) GetHttpClient added in v0.5.1 

func (c *Client) GetHttpClient() *http.Client

func (*Client) InternalAuthenticate added in v0.11.0 

func (c *Client) InternalAuthenticate() ([]byte, error)

Authenticate obtains a new access token using the internal authenticator.

func (*Client) ListOidcProviders added in v0.11.0 

func (c *Client) ListOidcProviders() ([]OidcProvider, error)

func (*Client) ListOidcProvidersRequest added in v0.11.0 

func (c *Client) ListOidcProvidersRequest() (*http.Request, error)

func (*Client) LoadPolicy 

func (c *Client) LoadPolicy(mode PolicyMode, policyID string, policy io.Reader) (*PolicyResponse, error)

LoadPolicy submits new policy data or polciy changes to the server.

The required permission depends on the mode.

func (*Client) LoadPolicyRequest added in v0.11.0 

func (c *Client) LoadPolicyRequest(mode PolicyMode, policyID string, policy io.Reader) (*http.Request, error)

func (*Client) Login added in v0.11.0 

func (c *Client) Login(login string, password string) ([]byte, error)

Login exchanges a user's password for an API key.

func (*Client) LoginRequest added in v0.11.0 

func (c *Client) LoginRequest(login string, password string) (*http.Request, error)

func (*Client) NeedsTokenRefresh 

func (c *Client) NeedsTokenRefresh() bool

func (*Client) OidcAuthenticate added in v0.11.0 

func (c *Client) OidcAuthenticate(code, nonce, code_verifier string) ([]byte, error)

func (*Client) OidcAuthenticateRequest added in v0.11.0 

func (c *Client) OidcAuthenticateRequest(code, nonce, code_verifier string) (*http.Request, error)

func (*Client) PermittedRoles added in v0.11.0 

func (c *Client) PermittedRoles(resourceID, privilege string) ([]string, error)

PermittedRoles lists the roles which have the named permission on a resource

func (*Client) PermittedRolesRequest added in v0.11.0 

func (c *Client) PermittedRolesRequest(resourceID string, privilege string) (*http.Request, error)

func (*Client) PublicKeys added in v0.11.0 

func (c *Client) PublicKeys(kind string, identifier string) ([]byte, error)

func (*Client) PublicKeysRequest added in v0.11.0 

func (c *Client) PublicKeysRequest(kind string, identifier string) (*http.Request, error)

func (*Client) PurgeCredentials added in v0.11.0 

func (c *Client) PurgeCredentials() error

PurgeCredentials purges credentials from the client's credential storage.

func (*Client) RefreshToken 

func (c *Client) RefreshToken() (err error)

func (*Client) Resource added in v0.4.0 

func (c *Client) Resource(resourceID string) (resource map[string]interface{}, err error)

Resource fetches a single user-visible resource by id.

func (*Client) ResourceExists added in v0.11.0 

func (c *Client) ResourceExists(resourceID string) (bool, error)

ResourceExists checks whether or not a resource exists

func (*Client) ResourceIDs added in v0.11.0 

func (c *Client) ResourceIDs(filter *ResourceFilter) ([]string, error)

func (*Client) ResourceRequest added in v0.11.0 

func (c *Client) ResourceRequest(resourceID string) (*http.Request, error)

func (*Client) Resources added in v0.4.0 

func (c *Client) Resources(filter *ResourceFilter) (resources []map[string]interface{}, err error)

Resources fetches user-visible resources. The set of resources can be limited by the given ResourceFilter. If filter is non-nil, only non-zero-valued members of the filter will be applied.

func (*Client) ResourcesRequest added in v0.11.0 

func (c *Client) ResourcesRequest(filter *ResourceFilter) (*http.Request, error)

func (*Client) RetrieveBatchSecrets added in v0.3.3 

func (c *Client) RetrieveBatchSecrets(variableIDs []string) (map[string][]byte, error)

RetrieveBatchSecrets fetches values for all variables in a slice using a single API call

The authenticated user must have execute privilege on all variables.

func (*Client) RetrieveBatchSecretsRequest added in v0.11.0 

func (c *Client) RetrieveBatchSecretsRequest(variableIDs []string, base64Flag bool) (*http.Request, error)

func (*Client) RetrieveBatchSecretsSafe added in v0.7.0 

func (c *Client) RetrieveBatchSecretsSafe(variableIDs []string) (map[string][]byte, error)

RetrieveBatchSecretsSafe fetches values for all variables in a slice using a single API call. This version of the method will automatically base64-encode the secrets on the server side allowing the retrieval of binary values in batch requests. Secrets are NOT base64 encoded in the returned map.

The authenticated user must have execute privilege on all variables.

func (*Client) RetrieveSecret 

func (c *Client) RetrieveSecret(variableID string) ([]byte, error)

RetrieveSecret fetches a secret from a variable.

The authenticated user must have execute privilege on the variable.

func (*Client) RetrieveSecretReader added in v0.3.0 

func (c *Client) RetrieveSecretReader(variableID string) (io.ReadCloser, error)

RetrieveSecretReader fetches a secret from a variable and returns it as a data stream.

The authenticated user must have execute privilege on the variable.

func (*Client) RetrieveSecretRequest added in v0.11.0 

func (c *Client) RetrieveSecretRequest(variableID string) (*http.Request, error)

func (*Client) RetrieveSecretWithVersion added in v0.11.0 

func (c *Client) RetrieveSecretWithVersion(variableID string, version int) ([]byte, error)

RetrieveSecretWithVersion fetches a specific version of a secret from a variable.

The authenticated user must have execute privilege on the variable.

func (*Client) RetrieveSecretWithVersionReader added in v0.11.0 

func (c *Client) RetrieveSecretWithVersionReader(variableID string, version int) (io.ReadCloser, error)

RetrieveSecretWithVersionReader fetches a specific version of a secret from a variable and returns it as a data stream.

The authenticated user must have execute privilege on the variable.

func (*Client) RetrieveSecretWithVersionRequest added in v0.11.0 

func (c *Client) RetrieveSecretWithVersionRequest(variableID string, version int) (*http.Request, error)

func (*Client) Role added in v0.11.0 

func (c *Client) Role(roleID string) (role map[string]interface{}, err error)

Role fetches detailed information about a specific role, including the role members

func (*Client) RoleExists added in v0.11.0 

func (c *Client) RoleExists(roleID string) (bool, error)

RoleExists checks whether or not a role exists

func (*Client) RoleMembers added in v0.11.0 

func (c *Client) RoleMembers(roleID string) (members []map[string]interface{}, err error)

RoleMembers fetches members within a role

func (*Client) RoleMembersRequest added in v0.11.0 

func (c *Client) RoleMembersRequest(roleID string) (*http.Request, error)

func (*Client) RoleMemberships added in v0.11.0 

func (c *Client) RoleMemberships(roleID string) (memberships []map[string]interface{}, err error)

RoleMemberships fetches memberships of a role, including a list of groups of which a specific host or user is a member

func (*Client) RoleMembershipsRequest added in v0.11.0 

func (c *Client) RoleMembershipsRequest(roleID string) (*http.Request, error)

func (*Client) RoleRequest added in v0.11.0 

func (c *Client) RoleRequest(roleID string) (*http.Request, error)

func (*Client) RotateAPIKey added in v0.3.0 

func (c *Client) RotateAPIKey(roleID string) ([]byte, error)

RotateAPIKey replaces the API key of a role on the server with a new random secret. Given that a fully-qualified resource id resembles '<account>:<kind>:<identifier>', argument roleID must be at least partially-qualified.

The authenticated user must have update privilege on the role.

func (*Client) RotateAPIKeyReader added in v0.3.0 

func (c *Client) RotateAPIKeyReader(roleID string) (io.ReadCloser, error)

RotateAPIKeyReader replaces the API key of a role on the server with a new random secret and returns it as a data stream.

The authenticated user must have update privilege on the role.

func (*Client) RotateAPIKeyRequest added in v0.11.0 

func (c *Client) RotateAPIKeyRequest(roleID string) (*http.Request, error)

RotateAPIKeyRequest requires roleID argument to be at least partially-qualified ID of from [<account>:]<kind>:<identifier>.

func (*Client) RotateCurrentUserAPIKey added in v0.11.0 

func (c *Client) RotateCurrentUserAPIKey() ([]byte, error)

func (*Client) RotateCurrentUserAPIKeyRequest added in v0.11.0 

func (c *Client) RotateCurrentUserAPIKeyRequest(login string, password string) (*http.Request, error)

func (*Client) RotateHostAPIKey added in v0.11.0 

func (c *Client) RotateHostAPIKey(hostID string) ([]byte, error)

RotateHostAPIKey constructs a role ID from a given host ID then replaces the API key of the role with a new random secret. Given that a fully-qualified resource ID resembles '<account>:<kind>:<identifier>', argument hostID will be accepted as either fully- or partially-qualified, but the provided role must be a host.

The authenticated user must have update privilege on the role.

func (*Client) RotateUserAPIKey added in v0.11.0 

func (c *Client) RotateUserAPIKey(userID string) ([]byte, error)

RotateUserAPIKey constructs a role ID from a given user ID then replaces the API key of the role with a new random secret. Given that a fully-qualified resource ID resembles '<account>:<kind>:<identifier>', argument userID will be accepted as either fully- or partially-qualified, but the provided role must be a user.

The authenticated user must have update privilege on the role.

func (*Client) SetAuthenticator added in v0.11.0 

func (c *Client) SetAuthenticator(authenticator Authenticator)

func (*Client) SetHttpClient added in v0.5.1 

func (c *Client) SetHttpClient(httpClient *http.Client)

func (*Client) SubmitRequest 

func (c *Client) SubmitRequest(req *http.Request) (resp *http.Response, err error)

func (*Client) WhoAmI added in v0.11.0 

func (c *Client) WhoAmI() ([]byte, error)

WhoAmI obtains information on the current user.

func (*Client) WhoAmIRequest added in v0.11.0 

func (c *Client) WhoAmIRequest() (*http.Request, error)

type Config 

type Config struct {
	Account           string `yaml:"account,omitempty"`
	ApplianceURL      string `yaml:"appliance_url,omitempty"`
	NetRCPath         string `yaml:"netrc_path,omitempty"`
	SSLCert           string `yaml:"-"`
	SSLCertPath       string `yaml:"cert_file,omitempty"`
	AuthnType         string `yaml:"authn_type,omitempty"`
	ServiceID         string `yaml:"service_id,omitempty"`
	CredentialStorage string `yaml:"credential_storage,omitempty"`
}

func LoadConfig 

func LoadConfig() (Config, error)

func (*Config) BaseURL 

func (c *Config) BaseURL() string

func (*Config) Conjurrc added in v0.11.0 

func (c *Config) Conjurrc() []byte

func (*Config) IsHttps added in v0.5.0 

func (c *Config) IsHttps() bool

func (*Config) ReadSSLCert 

func (c *Config) ReadSSLCert() ([]byte, error)

func (*Config) Validate added in v0.11.0 

func (c *Config) Validate() error

type CreatedRole added in v0.3.0 

type CreatedRole struct {
	ID     string `json:"id"`
	APIKey string `json:"api_key"`
}

CreatedRole contains the full role ID and API key of a role which was created by the server when loading a policy.

type CredentialStorageProvider added in v0.11.0 

type CredentialStorageProvider interface {
	StoreCredentials(login string, password string) error
	ReadCredentials() (login string, password string, err error)
	ReadAuthnToken() ([]byte, error)
	StoreAuthnToken(token []byte) error
	PurgeCredentials() error
}

type HostFactoryHostResponse added in v0.11.0 

type HostFactoryHostResponse struct {
	CreatedAt    string   `json:"created_at"`
	Id           string   `json:"id"`
	Owner        string   `json:"owner"`
	Permissions  []string `json:"permissions"`
	Annotations  []string `json:"annotations"`
	RestrictedTo []string `json:"restricted_to"`
	ApiKey       string   `json:"api_key"`
}

type HostFactoryTokenResponse added in v0.11.0 

type HostFactoryTokenResponse struct {
	Expiration string   `json:"expiration"`
	Cidr       []string `json:"cidr"`
	Token      string   `json:"token"`
}

type OidcProvider added in v0.11.0 

type OidcProvider struct {
	ServiceID    string `json:"service_id"`
	Type         string `json:"type"`
	Name         string `json:"name"`
	Nonce        string `json:"nonce"`
	CodeVerifier string `json:"code_verifier"`
	RedirectURI  string `json:"redirect_uri"`
}

OidcProvider contains information about an OIDC provider.

type PolicyMode added in v0.3.0 

type PolicyMode uint

PolicyMode defines the server-sized behavior when loading a policy. 

const (
	// PolicyModePost appends new data to the policy.
	PolicyModePost PolicyMode = 1
	// PolicyModePut completely replaces the policy, implicitly deleting data which is not present in the new policy.
	PolicyModePut PolicyMode = 2
	// PolicyModePatch adds policy data and explicitly deletes policy data.
	PolicyModePatch PolicyMode = 3
)

type PolicyResponse added in v0.3.0 

type PolicyResponse struct {
	// Newly created roles.
	CreatedRoles map[string]CreatedRole `json:"created_roles"`
	// The version number of the policy.
	Version uint32 `json:"version"`
}

PolicyResponse contains information about the policy update.

type ResourceFilter added in v0.4.0 

type ResourceFilter struct {
	Kind   string
	Search string
	Limit  int
	Offset int
	Role   string
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.