README
¶
Libvault
This abstraction library is meant to be used as a faster and more opinionated version of the
standard github.com/hashicorp/vault/api default and supported Go SDK
This library is meant for people who wants to add Vault functionalities in their software without having to deal with all the plumbing necessary when using the default SDK
Testing vault integrations is not that hard but it's not trivial either, so we made an effort to deal with it so that you don't have to (as much)
Easy things should be easy
Nota bene:
- Most of the interfaces used here are still compatible with the official SDK: this way if something is missing you can just continue using the other SDK to finish the job
Usage
Testing
go test ./...
Running vault locally
docker run --rm -p8200:8200 vault:1.2.0 server -dev -dev-root-token-id=root
Documentation
¶
Index ¶
- func CutVaultPrefix(sig string) string
- func UnmarshalSecret(secret *api.Secret, output interface{}, kv2style bool) error
- type CRLConfiguration
- type Certificate
- type CertificateRequest
- type Client
- func (c *Client) GetAPIClient() *api.Client
- func (c *Client) KV(path string, enableKV2 bool, createIfDoesntExist bool) (*KV, error)
- func (c *Client) PKI(mountPath string, createIfDoesntExist bool) (*PKI, error)
- func (c *Client) SSH(mountPath string, createIfDoesntExist bool) (*SSH, error)
- func (c *Client) Transit(path, keyName string, createIfDoesntExist bool) (*Transit, error)
- type Encrypted
- type HMACInput
- type HMACOutput
- type KV
- type Key
- type KeySpec
- type ListOutput
- type PKI
- type PKIConfig
- type PKIRole
- type PKIUrls
- type SSH
- type SSHInit
- type SSHKeyOutput
- type SSHRole
- type SignInput
- type SignOutput
- type SigningMethodVault
- type Transit
- func (t *Transit) DecryptToBytes(ciphertext string) ([]byte, error)
- func (t *Transit) EncryptBytes(plaintext []byte) (string, error)
- func (t *Transit) GetPublicKey() (string, error)
- func (t *Transit) HMAC(data string) (string, error)
- func (t *Transit) KeyType() string
- func (t *Transit) Sign(data string) (string, error)
- func (t *Transit) VerifyHMAC(data, hmac string) error
- func (t *Transit) VerifySignature(data, signature string) error
- type Unencrypted
- type VerifyHMACInput
- type VerifyOutput
- type VerifySignInput
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CutVaultPrefix ¶
CutVaultPrefix is used to remove `vault:v2:` from either signatures and hmac
Types ¶
type CRLConfiguration ¶
type CRLConfiguration struct {
Expiry string `mapstructure:"expiry"`
Disable string `mapstructure:"disable"`
}
CRLConfiguration is used to configure the CA CRL configurations
type Certificate ¶
type Certificate struct {
Certificate string `mapstructure:"certificate"`
PrivateKey string `mapstructure:"private_key"`
SerialNumber string `mapstructure:"serial_number"`
PrivateKeyType string `mapstructure:"private_key_type"`
IssuingCA string `mapstructure:"issuing_ca"`
CaChain []string `mapstructure:"ca_chain"`
Expiration string `mapstructure:"expiration"`
}
Certificate is the representation of a certificate as coming out of vault
type CertificateRequest ¶
type CertificateRequest struct {
CommonName string `mapstructure:"common_name"`
IPs string `mapstructure:"ip_sans"`
AlternativesNames string `mapstructure:"alt_names"`
TTL string `mapstructure:"ttl"`
Format string `mapstructure:"pem"`
PrivateKeyFormat string `mapstructure:"der"`
}
CertificateRequest is used to
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client is a simple yet minimal abstraction over the default api.Client from the original library
func NewClient ¶
NewClient is in charge of creating a connection and validating that connection on the start before even starting to attemp anythign
func (*Client) GetAPIClient ¶
GetAPIClient returns the vault api.Client form the original sdk
type Encrypted ¶
type Encrypted struct {
Ciphertext string `mapstructure:"ciphertext"`
}
Encrypted is used to unmarshal ouput from the Encrypt or input for the Decrypt function
type HMACInput ¶
type HMACInput struct {
Input string `mapstructure:"input"`
}
HMACInput are the required paramethers to compute the HMAC of data
type HMACOutput ¶
type HMACOutput struct {
HMAC string `mapstructure:"hmac"`
}
HMACOutput is the result of the HMAC function in vault
type KV ¶
type KV struct {
// contains filtered or unexported fields
}
KV represents the KV store in vault
type Key ¶
type Key struct {
AllowPlaintextBackup bool `mapstructure:"allow_plaintext_backup"`
Name string `mapstructure:"name"`
DeletionAllowed bool `mapstructure:"deletion_allowed"`
Derived bool `mapstructure:"derived"`
Exportable bool `mapstructure:"exportable"`
Keys map[string]KeySpec `mapstructure:"keys"`
LatestVersion int `mapstructure:"latest_version"`
MinAvailableVersion int `mapstructure:"min_available_version"`
MinDecryptionVersion int `mapstructure:"min_decryption_version"`
MinEncryptionVersion int `mapstructure:"min_encryption_version"`
SupportsDecryption bool `mapstructure:"supports_decryption"`
SupportsDerivation bool `mapstructure:"supports_derivation"`
SupportsEncryption bool `mapstructure:"supports_encryption"`
SupportsSigning bool `mapstructure:"supports_signing"`
Type string `mapstructure:"type"`
}
Key is how a new key is created/configured/exported in vault
type KeySpec ¶
type KeySpec struct {
CreationTime string `mapstructure:"creation_time"`
Name string `mapstructure:"name"`
PublicKey string `mapstructure:"public_key"`
}
KeySpec represents the key specification for a specific version
type ListOutput ¶
type ListOutput struct {
Keys []string `mapstructure:"keys"`
}
ListOutput represent the kind of secret you get after a list operation
type PKI ¶
type PKI struct {
// contains filtered or unexported fields
}
PKI identifies a new PKI (one PKI with CA)
func (*PKI) CreateDefaultRoles ¶
CreateDefaultRoles creates common used roles (server, client, peer)
func (*PKI) CreateRole ¶
CreateRole adds a role to a given PKI secret backend
type PKIConfig ¶
type PKIConfig struct {
CommonName string `mapstructure:"common_name"`
Organization string `mapstructure:"organization"`
OU string `mapstructure:"ou"`
StreetAddress string `mapstructure:"street_address"`
Locality string `mapstructure:"locality"`
Province string `mapstructure:"province"`
PostalCode string `mapstructure:"postal_code"`
Country string `mapstructure:"country"`
TTL string `mapstructure:"ttl"`
PrivateKeyFormat string `mapstructure:"private_key_format"`
Format string `mapstructure:"format"`
KeyType string `mapstructure:"key_type"`
KeyBits string `mapstructure:"key_bits"`
}
PKIConfig represents the configuration of a CA: Distinguished name and key specifications
type PKIRole ¶
type PKIRole struct {
TTL string `mapstructure:"ttl"`
MaxTTL string `mapstructure:"max_ttl"`
CodeSigningFlag bool `mapstructure:"code_signing_flag"`
EmailProtectionFlag bool `mapstructure:"email_protection_flag"`
KeyUsage []string `mapstructure:"key_usage"`
AllowLocalhost bool `mapstructure:"allow_localhost"`
AllowGlobDomains bool `mapstructure:"allow_glob_domains"`
AllowIPSans bool `mapstructure:"allow_ip_sans"`
RequireCN bool `mapstructure:"require_cn"`
NonCA bool `mapstructure:"basic_constraints_valid_for_non_ca"`
AllowAnyName bool `mapstructure:"allow_any_name"`
AllowSubdomains bool `mapstructure:"allow_subdomains"`
AllowBareDomains bool `mapstructure:"allow_bare_domains"`
AllowedDomains []string `mapstructure:"allowed_domains"`
ServerFlag bool `mapstructure:"server_flag"`
ClientFlag bool `mapstructure:"client_flag"`
ExtKeyUsage []string `mapstructure:"ext_key_usage"`
GenerateLease bool `mapstructure:"generate_lease"`
OU string `mapstructure:"ou"`
Organization string `mapstructure:"organization"`
EnforceHostnames bool `mapstructure:"enforce_hostnames"`
}
PKIRole is used to create and manage roles in vault PKI backend
func DefaultRoleConfiguration ¶
DefaultRoleConfiguration creates sane default for configurations
type PKIUrls ¶
type PKIUrls struct {
IssuingCertificates string `mapstructure:"issuing_certificates"`
CRLDistributionPoint string `mapstructure:"crl_distribution_points"`
}
PKIUrls is used to configure the CA defaults
type SSH ¶
type SSH struct {
// contains filtered or unexported fields
}
SSH identifies a new SSH secret engine
func (*SSH) GetPublicKey ¶
type SSHInit ¶
type SSHInit struct {
GenerateSigningKey bool `mapstructure:"generate_signing_key"`
}
SSHInit is used to initialize a SSH secret backend with CA key_type
type SSHKeyOutput ¶
type SSHKeyOutput struct {
PublicKey string `mapstructure:"public_key"`
}
type SSHRole ¶
type SSHRole struct {
AllowUserCertificates bool `mapstructure:"allow_user_certificates"`
AllowedUsers string `mapstructure:"allowed_users"`
DefaultExtensions map[string]string `mapstructure:"default_extensions"`
AllowedExtenstion string `mapstructure:"allowed_extensions"`
KeyType string `mapstructure:"key_type"`
DefaultUser string `mapstructure:"default_user"`
TTL string `mapstructure:"ttl"`
MaxTTL string `mapstructure:"max_ttl"`
}
SSHRole is used to create a new role for ssh CA key_type
type SignInput ¶
type SignInput struct {
Input string `mapstructure:"input"`
MarshalingAlgorithm string `mapstructure:"marshaling_algorithm"`
SignatureAlgorithm string `mapstructure:"signature_algorithm"`
Prehashed bool `mapstructure:"prehashed"`
}
SignInput are the paramethers necessary to get a signature of data
type SignOutput ¶
type SignOutput struct {
Signature string `mapstructure:"signature"`
}
SignOutput is the actual signature of the previously passed data
type SigningMethodVault ¶
type SigningMethodVault struct {
// contains filtered or unexported fields
}
SigningMethodVault is the type that implements the SigningMethod interface (https://godoc.org/github.com/dgrijalva/jwt-go#SigningMethod)
var ( // SigningMethodVaultRS256 implements the SigningMethod interface with alg RS256 SigningMethodVaultRS256 *SigningMethodVault // SigningMethodVaultES256 implements the SigningMethod interface with alg ES256 SigningMethodVaultES256 *SigningMethodVault )
func (*SigningMethodVault) Alg ¶
func (r *SigningMethodVault) Alg() string
Alg will return the JWT header algorithm identifier this method is configured for
func (*SigningMethodVault) Sign ¶
func (r *SigningMethodVault) Sign(signingString string, key interface{}) (string, error)
Sign implements the Sign method from jwt.SigningMethod. Key must be of type libvault.Transit with the right alg key configured (rsa-2048/4096 for RS256 or edcsa-p256 for ES256)
func (*SigningMethodVault) Verify ¶
func (r *SigningMethodVault) Verify(signingString, signature string, key interface{}) error
Verify implements the Verify method from jwt.SigningMethod. Key must be of type libvault.Transit with the right alg key configured (rsa-2048/4096 for RS256 or edcsa-p256 for ES256)
type Transit ¶
type Transit struct {
// contains filtered or unexported fields
}
Transit represents the transit secret backend in vault
func (*Transit) DecryptToBytes ¶
DecryptToBytes is used to encrypt data that is already serialized
func (*Transit) EncryptBytes ¶
EncryptBytes is used to encrypt data that is already serialized
func (*Transit) GetPublicKey ¶
GetPublicKey obtains the public key for the specified key
func (*Transit) VerifyHMAC ¶
VerifyHMAC is used to verify a signature previously created with vault
func (*Transit) VerifySignature ¶
VerifySignature is used to verify a signature previously created with vault: signature is of type "vault:v1:abcdefg..."
type Unencrypted ¶
type Unencrypted struct {
Plaintext string `mapstructure:"plaintext"`
}
Unencrypted is the plaintext side!
type VerifyHMACInput ¶
type VerifyHMACInput struct {
Input string `mapstructure:"input"`
HMAC string `mapstructure:"hmac"`
MarshalingAlgorithm string `mapstructure:"marshaling_algorithm"`
SignatureAlgorithm string `mapstructure:"signature_algorithm"`
Prehashed bool `mapstructure:"prehashed"`
}
VerifyHMACInput are the necessary parametheus to verify an HMAC obtained with vault
type VerifyOutput ¶
type VerifyOutput struct {
Valid bool `mapstructure:"valid"`
}
VerifyOutput is the outcome of a verification call
type VerifySignInput ¶
type VerifySignInput struct {
Input string `mapstructure:"input"`
Signature string `mapstructure:"signature"`
MarshalingAlgorithm string `mapstructure:"marshaling_algorithm"`
SignatureAlgorithm string `mapstructure:"signature_algorithm"`
Prehashed bool `mapstructure:"prehashed"`
}
VerifySignInput are the necessary parametheus to verify a signature obtained with vault
Source Files
Directories