Documentation

Index

Constants

View Source
const (
	// The operations below are called per path
	CreateOperation         Operation = "create"
	ReadOperation                     = "read"
	UpdateOperation                   = "update"
	DeleteOperation                   = "delete"
	ListOperation                     = "list"
	HelpOperation                     = "help"
	AliasLookaheadOperation           = "alias-lookahead"

	// The operations below are called globally, the path is less relevant.
	RevokeOperation   Operation = "revoke"
	RenewOperation              = "renew"
	RollbackOperation           = "rollback"
)
View Source
const (
	// HTTPContentType can be specified in the Data field of a Response
	// so that the HTTP front end can specify a custom Content-Type associated
	// with the HTTPRawBody. This can only be used for non-secrets, and should
	// be avoided unless absolutely necessary, such as implementing a specification.
	// The value must be a string.
	HTTPContentType = "http_content_type"

	// HTTPRawBody is the raw content of the HTTP body that goes with the HTTPContentType.
	// This can only be specified for non-secrets, and should should be similarly
	// avoided like the HTTPContentType. The value must be a byte slice.
	HTTPRawBody = "http_raw_body"

	// HTTPStatusCode is the response code of the HTTP body that goes with the HTTPContentType.
	// This can only be specified for non-secrets, and should should be similarly
	// avoided like the HTTPContentType. The value must be an integer.
	HTTPStatusCode = "http_status_code"

	// For unwrapping we may need to know whether the value contained in the
	// raw body is already JSON-unmarshaled. The presence of this key indicates
	// that it has already been unmarshaled. That way we don't need to simply
	// ignore errors.
	HTTPRawBodyAlreadyJSONDecoded = "http_raw_body_already_json_decoded"

	// If set, HTTPRawCacheControl will replace the default Cache-Control=no-store header
	// set by the generic wrapping handler. The value must be a string.
	HTTPRawCacheControl = "http_raw_cache_control"
)

Variables

View Source
var (
	// ErrUnsupportedOperation is returned if the operation is not supported
	// by the logical backend.
	ErrUnsupportedOperation = errors.New("unsupported operation")

	// ErrUnsupportedPath is returned if the path is not supported
	// by the logical backend.
	ErrUnsupportedPath = errors.New("unsupported path")

	// ErrInvalidRequest is returned if the request is invalid
	ErrInvalidRequest = errors.New("invalid request")

	// ErrPermissionDenied is returned if the client is not authorized
	ErrPermissionDenied = errors.New("permission denied")

	// ErrMultiAuthzPending is returned if the the request needs more
	// authorizations
	ErrMultiAuthzPending = errors.New("request needs further approval")

	// ErrUpstreamRateLimited is returned when Vault receives a rate limited
	// response from an upstream
	ErrUpstreamRateLimited = errors.New("upstream rate limited")

	// ErrPerfStandbyForward is returned when Vault is in a state such that a
	// perf standby cannot satisfy a request
	ErrPerfStandbyPleaseForward = errors.New("please forward to the active node")

	// ErrLeaseCountQuotaExceeded is returned when a request is rejected due to a lease
	// count quota being exceeded.
	ErrLeaseCountQuotaExceeded = errors.New("lease count quota exceeded")

	// ErrRateLimitQuotaExceeded is returned when a request is rejected due to a
	// rate limit quota being exceeded.
	ErrRateLimitQuotaExceeded = errors.New("rate limit quota exceeded")
)
View Source
var ErrReadOnly = errors.New("cannot write to readonly storage")

    ErrReadOnly is returned when a backend does not support writing. This can be caused by a read-only replica or secondary cluster operation.

    View Source
    var (
    	ErrRelativePath = errors.New("relative paths not supported")
    )
    View Source
    var ErrSetupReadOnly = errors.New("cannot write to storage during setup")

      ErrSetupReadOnly is returned when a write operation is attempted on a storage while the backend is still being setup.

      View Source
      var File_sdk_logical_identity_proto protoreflect.FileDescriptor
      View Source
      var File_sdk_logical_plugin_proto protoreflect.FileDescriptor

      Functions

      func AdjustErrorStatusCode

      func AdjustErrorStatusCode(status *int, err error)

        AdjustErrorStatusCode adjusts the status that will be sent in error conditions in a way that can be shared across http's respondError and other locations.

        func ClearView

        func ClearView(ctx context.Context, view ClearableView) error

          ClearView is used to delete all the keys in a view

          func ClearViewWithLogging

          func ClearViewWithLogging(ctx context.Context, view ClearableView, logger hclog.Logger) error

          func CollectKeys

          func CollectKeys(ctx context.Context, view ClearableView) ([]string, error)

            CollectKeys is used to collect all the keys in a view

            func CollectKeysWithPrefix

            func CollectKeysWithPrefix(ctx context.Context, view ClearableView, prefix string) ([]string, error)

              CollectKeysWithPrefix is used to collect all the keys in a view with a given prefix string

              func IndexStateContext

              func IndexStateContext(ctx context.Context, state *WALState) context.Context

                IndexStateContext returns a context with an added value holding the index state that should be populated on writes.

                func RespondError

                func RespondError(w http.ResponseWriter, status int, err error)

                func RespondErrorCommon

                func RespondErrorCommon(req *Request, resp *Response, err error) (int, error)

                  RespondErrorCommon pulls most of the functionality from http's respondErrorCommon and some of http's handleLogical and makes it available to both the http package and elsewhere.

                  func ScanView

                  func ScanView(ctx context.Context, view ClearableView, cb func(path string)) error

                    ScanView is used to scan all the keys in a view iteratively

                    func TestStorage

                    func TestStorage(t testing.T, s Storage)

                      TestStorage is a helper that can be used from unit tests to verify the behavior of a Storage impl.

                      Types

                      type Alias

                      type Alias struct {
                      
                      	// MountType is the backend mount's type to which this identity belongs
                      	MountType string `sentinel:"" protobuf:"bytes,1,opt,name=mount_type,json=mountType,proto3" json:"mount_type,omitempty"`
                      	// MountAccessor is the identifier of the mount entry to which this
                      	// identity belongs
                      	MountAccessor string `sentinel:"" protobuf:"bytes,2,opt,name=mount_accessor,json=mountAccessor,proto3" json:"mount_accessor,omitempty"`
                      	// Name is the identifier of this identity in its authentication source
                      	Name string `sentinel:"" protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
                      	// Metadata represents the custom data tied to this alias. Fields added
                      	// to it should have a low rate of change (or no change) because each
                      	// change incurs a storage write, so quickly-changing fields can have
                      	// a significant performance impact at scale. See the SDK's
                      	// "aliasmetadata" package for a helper that eases and standardizes
                      	// using this safely.
                      	Metadata map[string]string `` /* 169-byte string literal not displayed */
                      	// ID is the unique identifier for the alias
                      	ID string `sentinel:"" protobuf:"bytes,5,opt,name=ID,proto3" json:"ID,omitempty"`
                      	// NamespaceID is the identifier of the namespace to which this alias
                      	// belongs.
                      	NamespaceID string `sentinel:"" protobuf:"bytes,6,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty"`
                      	// contains filtered or unexported fields
                      }

                      func (*Alias) Descriptor

                      func (*Alias) Descriptor() ([]byte, []int)

                        Deprecated: Use Alias.ProtoReflect.Descriptor instead.

                        func (*Alias) GetID

                        func (x *Alias) GetID() string

                        func (*Alias) GetMetadata

                        func (x *Alias) GetMetadata() map[string]string

                        func (*Alias) GetMountAccessor

                        func (x *Alias) GetMountAccessor() string

                        func (*Alias) GetMountType

                        func (x *Alias) GetMountType() string

                        func (*Alias) GetName

                        func (x *Alias) GetName() string

                        func (*Alias) GetNamespaceID

                        func (x *Alias) GetNamespaceID() string

                        func (*Alias) ProtoMessage

                        func (*Alias) ProtoMessage()

                        func (*Alias) ProtoReflect

                        func (x *Alias) ProtoReflect() protoreflect.Message

                        func (*Alias) Reset

                        func (x *Alias) Reset()

                        func (*Alias) String

                        func (x *Alias) String() string

                        type Auditor

                        type Auditor interface {
                        	AuditRequest(ctx context.Context, input *LogInput) error
                        	AuditResponse(ctx context.Context, input *LogInput) error
                        }

                        type Auth

                        type Auth struct {
                        	LeaseOptions
                        
                        	// InternalData is JSON-encodable data that is stored with the auth struct.
                        	// This will be sent back during a Renew/Revoke for storing internal data
                        	// used for those operations.
                        	InternalData map[string]interface{} `json:"internal_data" mapstructure:"internal_data" structs:"internal_data"`
                        
                        	// DisplayName is a non-security sensitive identifier that is
                        	// applicable to this Auth. It is used for logging and prefixing
                        	// of dynamic secrets. For example, DisplayName may be "armon" for
                        	// the github credential backend. If the client token is used to
                        	// generate a SQL credential, the user may be "github-armon-uuid".
                        	// This is to help identify the source without using audit tables.
                        	DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"`
                        
                        	// Policies is the list of policies that the authenticated user
                        	// is associated with.
                        	Policies []string `json:"policies" mapstructure:"policies" structs:"policies"`
                        
                        	// TokenPolicies and IdentityPolicies break down the list in Policies to
                        	// help determine where a policy was sourced
                        	TokenPolicies    []string `json:"token_policies" mapstructure:"token_policies" structs:"token_policies"`
                        	IdentityPolicies []string `json:"identity_policies" mapstructure:"identity_policies" structs:"identity_policies"`
                        
                        	// ExternalNamespacePolicies represent the policies authorized from
                        	// different namespaces indexed by respective namespace identifiers
                        	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies" mapstructure:"external_namespace_policies" structs:"external_namespace_policies"`
                        
                        	// Indicates that the default policy should not be added by core when
                        	// creating a token. The default policy will still be added if it's
                        	// explicitly defined.
                        	NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy" structs:"no_default_policy"`
                        
                        	// Metadata is used to attach arbitrary string-type metadata to
                        	// an authenticated user. This metadata will be outputted into the
                        	// audit log.
                        	Metadata map[string]string `json:"metadata" mapstructure:"metadata" structs:"metadata"`
                        
                        	// ClientToken is the token that is generated for the authentication.
                        	// This will be filled in by Vault core when an auth structure is
                        	// returned. Setting this manually will have no effect.
                        	ClientToken string `json:"client_token" mapstructure:"client_token" structs:"client_token"`
                        
                        	// Accessor is the identifier for the ClientToken. This can be used
                        	// to perform management functionalities (especially revocation) when
                        	// ClientToken in the audit logs are obfuscated. Accessor can be used
                        	// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
                        	// both without actually knowing the ClientToken.
                        	Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor"`
                        
                        	// Period indicates that the token generated using this Auth object
                        	// should never expire. The token should be renewed within the duration
                        	// specified by this period.
                        	Period time.Duration `json:"period" mapstructure:"period" structs:"period"`
                        
                        	// ExplicitMaxTTL is the max TTL that constrains periodic tokens. For normal
                        	// tokens, this value is constrained by the configured max ttl.
                        	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"`
                        
                        	// Number of allowed uses of the issued token
                        	NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`
                        
                        	// EntityID is the identifier of the entity in identity store to which the
                        	// identity of the authenticating client belongs to.
                        	EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"`
                        
                        	// Alias is the information about the authenticated client returned by
                        	// the auth backend
                        	Alias *Alias `json:"alias" mapstructure:"alias" structs:"alias"`
                        
                        	// GroupAliases are the informational mappings of external groups which an
                        	// authenticated user belongs to. This is used to check if there are
                        	// mappings groups for the group aliases in identity store. For all the
                        	// matching groups, the entity ID of the user will be added.
                        	GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"`
                        
                        	// The set of CIDRs that this token can be used with
                        	BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"`
                        
                        	// CreationPath is a path that the backend can return to use in the lease.
                        	// This is currently only supported for the token store where roles may
                        	// change the perceived path of the lease, even though they don't change
                        	// the request path itself.
                        	CreationPath string `json:"creation_path"`
                        
                        	// TokenType is the type of token being requested
                        	TokenType TokenType `json:"token_type"`
                        
                        	// Orphan is set if the token does not have a parent
                        	Orphan bool `json:"orphan"`
                        }

                          Auth is the resulting authentication information that is part of Response for credential backends.

                          func (*Auth) GoString

                          func (a *Auth) GoString() string

                          type Authz

                          type Authz struct {
                          	Token             string    `json:"token"`
                          	AuthorizationTime time.Time `json:"authorization_time"`
                          }

                          type Backend

                          type Backend interface {
                          
                          	// Initialize is used to initialize a plugin after it has been mounted.
                          	Initialize(context.Context, *InitializationRequest) error
                          
                          	// HandleRequest is used to handle a request and generate a response.
                          	// The backends must check the operation type and handle appropriately.
                          	HandleRequest(context.Context, *Request) (*Response, error)
                          
                          	// SpecialPaths is a list of paths that are special in some way.
                          	// See PathType for the types of special paths. The key is the type
                          	// of the special path, and the value is a list of paths for this type.
                          	// This is not a regular expression but is an exact match. If the path
                          	// ends in '*' then it is a prefix-based match. The '*' can only appear
                          	// at the end.
                          	SpecialPaths() *Paths
                          
                          	// System provides an interface to access certain system configuration
                          	// information, such as globally configured default and max lease TTLs.
                          	System() SystemView
                          
                          	// Logger provides an interface to access the underlying logger. This
                          	// is useful when a struct embeds a Backend-implemented struct that
                          	// contains a private instance of logger.
                          	Logger() log.Logger
                          
                          	// HandleExistenceCheck is used to handle a request and generate a response
                          	// indicating whether the given path exists or not; this is used to
                          	// understand whether the request must have a Create or Update capability
                          	// ACL applied. The first bool indicates whether an existence check
                          	// function was found for the backend; the second indicates whether, if an
                          	// existence check function was found, the item exists or not.
                          	HandleExistenceCheck(context.Context, *Request) (bool, bool, error)
                          
                          	// Cleanup is invoked during an unmount of a backend to allow it to
                          	// handle any cleanup like connection closing or releasing of file handles.
                          	Cleanup(context.Context)
                          
                          	// InvalidateKey may be invoked when an object is modified that belongs
                          	// to the backend. The backend can use this to clear any caches or reset
                          	// internal state as needed.
                          	InvalidateKey(context.Context, string)
                          
                          	// Setup is used to set up the backend based on the provided backend
                          	// configuration.
                          	Setup(context.Context, *BackendConfig) error
                          
                          	// Type returns the BackendType for the particular backend
                          	Type() BackendType
                          }

                            Backend interface must be implemented to be "mountable" at a given path. Requests flow through a router which has various mount points that flow to a logical backend. The logic of each backend is flexible, and this is what allows materialized keys to function. There can be specialized logical backends for various upstreams (Consul, PostgreSQL, MySQL, etc) that can interact with remote APIs to generate keys dynamically. This interface also allows for a "procfs" like interaction, as internal state can be exposed by acting like a logical backend and being mounted.

                            type BackendConfig

                            type BackendConfig struct {
                            	// View should not be stored, and should only be used for initialization
                            	StorageView Storage
                            
                            	// The backend should use this logger. The log should not contain any secrets.
                            	Logger log.Logger
                            
                            	// System provides a view into a subset of safe system information that
                            	// is useful for backends, such as the default/max lease TTLs
                            	System SystemView
                            
                            	// BackendUUID is a unique identifier provided to this backend. It's useful
                            	// when a backend needs a consistent and unique string without using storage.
                            	BackendUUID string
                            
                            	// Config is the opaque user configuration provided when mounting
                            	Config map[string]string
                            }

                              BackendConfig is provided to the factory to initialize the backend

                              func TestBackendConfig

                              func TestBackendConfig() *BackendConfig

                              type BackendType

                              type BackendType uint32

                                BackendType is the type of backend that is being implemented

                                const (
                                	TypeUnknown    BackendType = 0 // This is also the zero-value for BackendType
                                	TypeLogical    BackendType = 1
                                	TypeCredential BackendType = 2
                                )

                                  The these are the types of backends that can be derived from logical.Backend

                                  func (BackendType) String

                                  func (b BackendType) String() string

                                    Stringer implementation

                                    type ClearableView

                                    type ClearableView interface {
                                    	List(context.Context, string) ([]string, error)
                                    	Delete(context.Context, string) error
                                    }

                                    type ClientTokenSource

                                    type ClientTokenSource uint32
                                    const (
                                    	NoClientToken ClientTokenSource = iota
                                    	ClientTokenFromVaultHeader
                                    	ClientTokenFromAuthzHeader
                                    )

                                    type Connection

                                    type Connection struct {
                                    	// RemoteAddr is the network address that sent the request.
                                    	RemoteAddr string `json:"remote_addr"`
                                    
                                    	// ConnState is the TLS connection state if applicable.
                                    	ConnState *tls.ConnectionState `sentinel:""`
                                    }

                                      Connection represents the connection information for a request. This is present on the Request structure for credential backends.

                                      type ControlGroup

                                      type ControlGroup struct {
                                      	Authorizations []*Authz  `json:"authorizations"`
                                      	RequestTime    time.Time `json:"request_time"`
                                      	Approved       bool      `json:"approved"`
                                      	NamespaceID    string    `json:"namespace_id"`
                                      }

                                      type Entity

                                      type Entity struct {
                                      
                                      	// ID is the unique identifier for the entity
                                      	ID string `sentinel:"" protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
                                      	// Name is the human-friendly unique identifier for the entity
                                      	Name string `sentinel:"" protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
                                      	// Aliases contains thhe alias mappings for the given entity
                                      	Aliases []*Alias `sentinel:"" protobuf:"bytes,3,rep,name=aliases,proto3" json:"aliases,omitempty"`
                                      	// Metadata represents the custom data tied to this entity
                                      	Metadata map[string]string `` /* 169-byte string literal not displayed */
                                      	// Disabled is true if the entity is disabled.
                                      	Disabled bool `sentinel:"" protobuf:"varint,5,opt,name=disabled,proto3" json:"disabled,omitempty"`
                                      	// NamespaceID is the identifier of the namespace to which this entity
                                      	// belongs to.
                                      	NamespaceID string `sentinel:"" protobuf:"bytes,6,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty"`
                                      	// contains filtered or unexported fields
                                      }

                                      func (*Entity) Descriptor

                                      func (*Entity) Descriptor() ([]byte, []int)

                                        Deprecated: Use Entity.ProtoReflect.Descriptor instead.

                                        func (*Entity) GetAliases

                                        func (x *Entity) GetAliases() []*Alias

                                        func (*Entity) GetDisabled

                                        func (x *Entity) GetDisabled() bool

                                        func (*Entity) GetID

                                        func (x *Entity) GetID() string

                                        func (*Entity) GetMetadata

                                        func (x *Entity) GetMetadata() map[string]string

                                        func (*Entity) GetName

                                        func (x *Entity) GetName() string

                                        func (*Entity) GetNamespaceID

                                        func (x *Entity) GetNamespaceID() string

                                        func (*Entity) ProtoMessage

                                        func (*Entity) ProtoMessage()

                                        func (*Entity) ProtoReflect

                                        func (x *Entity) ProtoReflect() protoreflect.Message

                                        func (*Entity) Reset

                                        func (x *Entity) Reset()

                                        func (*Entity) String

                                        func (x *Entity) String() string

                                        type ExtendedSystemView

                                        type ExtendedSystemView interface {
                                        	Auditor() Auditor
                                        	ForwardGenericRequest(context.Context, *Request) (*Response, error)
                                        }

                                        type Factory

                                        type Factory func(context.Context, *BackendConfig) (Backend, error)

                                          Factory is the factory function to create a logical backend.

                                          type Group

                                          type Group struct {
                                          
                                          	// ID is the unique identifier for the group
                                          	ID string `sentinel:"" protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
                                          	// Name is the human-friendly unique identifier for the group
                                          	Name string `sentinel:"" protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
                                          	// Metadata represents the custom data tied to this group
                                          	Metadata map[string]string `` /* 169-byte string literal not displayed */
                                          	// NamespaceID is the identifier of the namespace to which this group
                                          	// belongs to.
                                          	NamespaceID string `sentinel:"" protobuf:"bytes,4,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty"`
                                          	// contains filtered or unexported fields
                                          }

                                          func (*Group) Descriptor

                                          func (*Group) Descriptor() ([]byte, []int)

                                            Deprecated: Use Group.ProtoReflect.Descriptor instead.

                                            func (*Group) GetID

                                            func (x *Group) GetID() string

                                            func (*Group) GetMetadata

                                            func (x *Group) GetMetadata() map[string]string

                                            func (*Group) GetName

                                            func (x *Group) GetName() string

                                            func (*Group) GetNamespaceID

                                            func (x *Group) GetNamespaceID() string

                                            func (*Group) ProtoMessage

                                            func (*Group) ProtoMessage()

                                            func (*Group) ProtoReflect

                                            func (x *Group) ProtoReflect() protoreflect.Message

                                            func (*Group) Reset

                                            func (x *Group) Reset()

                                            func (*Group) String

                                            func (x *Group) String() string

                                            type HTTPAuth

                                            type HTTPAuth struct {
                                            	ClientToken      string            `json:"client_token"`
                                            	Accessor         string            `json:"accessor"`
                                            	Policies         []string          `json:"policies"`
                                            	TokenPolicies    []string          `json:"token_policies,omitempty"`
                                            	IdentityPolicies []string          `json:"identity_policies,omitempty"`
                                            	Metadata         map[string]string `json:"metadata"`
                                            	LeaseDuration    int               `json:"lease_duration"`
                                            	Renewable        bool              `json:"renewable"`
                                            	EntityID         string            `json:"entity_id"`
                                            	TokenType        string            `json:"token_type"`
                                            	Orphan           bool              `json:"orphan"`
                                            }

                                            type HTTPCodedError

                                            type HTTPCodedError interface {
                                            	Error() string
                                            	Code() int
                                            }

                                            func CodedError

                                            func CodedError(status int, msg string) HTTPCodedError

                                            type HTTPResponse

                                            type HTTPResponse struct {
                                            	RequestID     string                 `json:"request_id"`
                                            	LeaseID       string                 `json:"lease_id"`
                                            	Renewable     bool                   `json:"renewable"`
                                            	LeaseDuration int                    `json:"lease_duration"`
                                            	Data          map[string]interface{} `json:"data"`
                                            	WrapInfo      *HTTPWrapInfo          `json:"wrap_info"`
                                            	Warnings      []string               `json:"warnings"`
                                            	Headers       map[string][]string    `json:"-"`
                                            	Auth          *HTTPAuth              `json:"auth"`
                                            }

                                            func LogicalResponseToHTTPResponse

                                            func LogicalResponseToHTTPResponse(input *Response) *HTTPResponse

                                              This logic was pulled from the http package so that it can be used for encoding wrapped responses as well. It simply translates the logical response to an http response, with the values we want and omitting the values we don't.

                                              type HTTPResponseWriter

                                              type HTTPResponseWriter struct {
                                              	http.ResponseWriter
                                              	// contains filtered or unexported fields
                                              }

                                                HTTPResponseWriter is optionally added to a request object and can be used to write directly to the HTTP response writer.

                                                func NewHTTPResponseWriter

                                                func NewHTTPResponseWriter(w http.ResponseWriter) *HTTPResponseWriter

                                                  NewHTTPResponseWriter creates a new HTTPResponseWriter object that wraps the provided io.Writer.

                                                  func (*HTTPResponseWriter) Write

                                                  func (rw *HTTPResponseWriter) Write(bytes []byte) (int, error)

                                                    Write will write the bytes to the underlying io.Writer.

                                                    func (*HTTPResponseWriter) Written

                                                    func (rw *HTTPResponseWriter) Written() bool

                                                      Written tells us if the writer has been written to yet.

                                                      type HTTPSysInjector

                                                      type HTTPSysInjector struct {
                                                      	Response *HTTPResponse
                                                      }

                                                      func (HTTPSysInjector) MarshalJSON

                                                      func (h HTTPSysInjector) MarshalJSON() ([]byte, error)

                                                      type HTTPWrapInfo

                                                      type HTTPWrapInfo struct {
                                                      	Token           string `json:"token"`
                                                      	Accessor        string `json:"accessor"`
                                                      	TTL             int    `json:"ttl"`
                                                      	CreationTime    string `json:"creation_time"`
                                                      	CreationPath    string `json:"creation_path"`
                                                      	WrappedAccessor string `json:"wrapped_accessor,omitempty"`
                                                      }

                                                      type InitializationRequest

                                                      type InitializationRequest struct {
                                                      
                                                      	// Storage can be used to durably store and retrieve state.
                                                      	Storage Storage
                                                      }

                                                        InitializationRequest stores the parameters and context of an Initialize() call being made to a logical.Backend.

                                                        type InmemStorage

                                                        type InmemStorage struct {
                                                        	// contains filtered or unexported fields
                                                        }

                                                          InmemStorage implements Storage and stores all data in memory. It is basically a straight copy of physical.Inmem, but it prevents backends from having to load all of physical's dependencies (which are legion) just to have some testing storage.

                                                          func (*InmemStorage) Delete

                                                          func (s *InmemStorage) Delete(ctx context.Context, key string) error

                                                          func (*InmemStorage) FailDelete

                                                          func (s *InmemStorage) FailDelete(fail bool) *InmemStorage

                                                          func (*InmemStorage) FailGet

                                                          func (s *InmemStorage) FailGet(fail bool) *InmemStorage

                                                          func (*InmemStorage) FailList

                                                          func (s *InmemStorage) FailList(fail bool) *InmemStorage

                                                          func (*InmemStorage) FailPut

                                                          func (s *InmemStorage) FailPut(fail bool) *InmemStorage

                                                          func (*InmemStorage) Get

                                                          func (s *InmemStorage) Get(ctx context.Context, key string) (*StorageEntry, error)

                                                          func (*InmemStorage) List

                                                          func (s *InmemStorage) List(ctx context.Context, prefix string) ([]string, error)

                                                          func (*InmemStorage) Put

                                                          func (s *InmemStorage) Put(ctx context.Context, entry *StorageEntry) error

                                                          func (*InmemStorage) Underlying

                                                          func (s *InmemStorage) Underlying() *inmem.InmemBackend

                                                          type KeyNotFoundError

                                                          type KeyNotFoundError struct {
                                                          	Err error
                                                          }

                                                          func (*KeyNotFoundError) Error

                                                          func (e *KeyNotFoundError) Error() string

                                                          func (*KeyNotFoundError) WrappedErrors

                                                          func (e *KeyNotFoundError) WrappedErrors() []error

                                                          type LeaseOptions

                                                          type LeaseOptions struct {
                                                          	// TTL is the duration that this secret is valid for. Vault
                                                          	// will automatically revoke it after the duration.
                                                          	TTL time.Duration `json:"lease"`
                                                          
                                                          	// MaxTTL is the maximum duration that this secret is valid for.
                                                          	MaxTTL time.Duration `json:"max_ttl"`
                                                          
                                                          	// Renewable, if true, means that this secret can be renewed.
                                                          	Renewable bool `json:"renewable"`
                                                          
                                                          	// Increment will be the lease increment that the user requested.
                                                          	// This is only available on a Renew operation and has no effect
                                                          	// when returning a response.
                                                          	Increment time.Duration `json:"-"`
                                                          
                                                          	// IssueTime is the time of issue for the original lease. This is
                                                          	// only available on Renew and Revoke operations and has no effect when returning
                                                          	// a response. It can be used to enforce maximum lease periods by
                                                          	// a logical backend.
                                                          	IssueTime time.Time `json:"-"`
                                                          }

                                                            LeaseOptions is an embeddable struct to capture common lease settings between a Secret and Auth

                                                            func (*LeaseOptions) ExpirationTime

                                                            func (l *LeaseOptions) ExpirationTime() time.Time

                                                              ExpirationTime computes the time until expiration including the grace period

                                                              func (*LeaseOptions) LeaseEnabled

                                                              func (l *LeaseOptions) LeaseEnabled() bool

                                                                LeaseEnabled checks if leasing is enabled

                                                                func (*LeaseOptions) LeaseTotal

                                                                func (l *LeaseOptions) LeaseTotal() time.Duration

                                                                  LeaseTotal is the lease duration with a guard against a negative TTL

                                                                  type LogInput

                                                                  type LogInput struct {
                                                                  	Type                string
                                                                  	Auth                *Auth
                                                                  	Request             *Request
                                                                  	Response            *Response
                                                                  	OuterErr            error
                                                                  	NonHMACReqDataKeys  []string
                                                                  	NonHMACRespDataKeys []string
                                                                  }

                                                                  type LogicalStorage

                                                                  type LogicalStorage struct {
                                                                  	// contains filtered or unexported fields
                                                                  }

                                                                  func NewLogicalStorage

                                                                  func NewLogicalStorage(underlying physical.Backend) *LogicalStorage

                                                                  func (*LogicalStorage) Delete

                                                                  func (s *LogicalStorage) Delete(ctx context.Context, key string) error

                                                                  func (*LogicalStorage) Get

                                                                  func (s *LogicalStorage) Get(ctx context.Context, key string) (*StorageEntry, error)

                                                                  func (*LogicalStorage) List

                                                                  func (s *LogicalStorage) List(ctx context.Context, prefix string) ([]string, error)

                                                                  func (*LogicalStorage) Put

                                                                  func (s *LogicalStorage) Put(ctx context.Context, entry *StorageEntry) error

                                                                  func (*LogicalStorage) Underlying

                                                                  func (s *LogicalStorage) Underlying() physical.Backend

                                                                  type MFACreds

                                                                  type MFACreds map[string][]string

                                                                  type MarshalOptions

                                                                  type MarshalOptions struct {
                                                                  	ValueHasher func(string) string
                                                                  }

                                                                  type Operation

                                                                  type Operation string

                                                                    Operation is an enum that is used to specify the type of request being made

                                                                    type OptMarshaler

                                                                    type OptMarshaler interface {
                                                                    	MarshalJSONWithOptions(*MarshalOptions) ([]byte, error)
                                                                    }

                                                                    type PasswordGenerator

                                                                    type PasswordGenerator func() (password string, err error)

                                                                    type PasswordPolicy

                                                                    type PasswordPolicy interface {
                                                                    	// Generate a random password
                                                                    	Generate(context.Context, io.Reader) (string, error)
                                                                    }

                                                                    type Paths

                                                                    type Paths struct {
                                                                    	// Root are the paths that require a root token to access
                                                                    	Root []string
                                                                    
                                                                    	// Unauthenticated are the paths that can be accessed without any auth.
                                                                    	Unauthenticated []string
                                                                    
                                                                    	// LocalStorage are paths (prefixes) that are local to this instance; this
                                                                    	// indicates that these paths should not be replicated
                                                                    	LocalStorage []string
                                                                    
                                                                    	// SealWrapStorage are storage paths that, when using a capable seal,
                                                                    	// should be seal wrapped with extra encryption. It is exact matching
                                                                    	// unless it ends with '/' in which case it will be treated as a prefix.
                                                                    	SealWrapStorage []string
                                                                    }

                                                                      Paths is the structure of special paths that is used for SpecialPaths.

                                                                      type PluginEnvironment

                                                                      type PluginEnvironment struct {
                                                                      
                                                                      	// VaultVersion is the version of the Vault server
                                                                      	VaultVersion string `protobuf:"bytes,1,opt,name=vault_version,json=vaultVersion,proto3" json:"vault_version,omitempty"`
                                                                      	// contains filtered or unexported fields
                                                                      }

                                                                      func (*PluginEnvironment) Descriptor

                                                                      func (*PluginEnvironment) Descriptor() ([]byte, []int)

                                                                        Deprecated: Use PluginEnvironment.ProtoReflect.Descriptor instead.

                                                                        func (*PluginEnvironment) GetVaultVersion

                                                                        func (x *PluginEnvironment) GetVaultVersion() string

                                                                        func (*PluginEnvironment) ProtoMessage

                                                                        func (*PluginEnvironment) ProtoMessage()

                                                                        func (*PluginEnvironment) ProtoReflect

                                                                        func (x *PluginEnvironment) ProtoReflect() protoreflect.Message

                                                                        func (*PluginEnvironment) Reset

                                                                        func (x *PluginEnvironment) Reset()

                                                                        func (*PluginEnvironment) String

                                                                        func (x *PluginEnvironment) String() string

                                                                        type ReplicationCodedError

                                                                        type ReplicationCodedError struct {
                                                                        	Msg  string
                                                                        	Code int
                                                                        }

                                                                          This is a new type declared to not cause potential compatibility problems if the logic around the CodedError changes; in particular for logical request paths it is basically ignored, and changing that behavior might cause unforeseen issues.

                                                                          func (*ReplicationCodedError) Error

                                                                          func (r *ReplicationCodedError) Error() string

                                                                          type Request

                                                                          type Request struct {
                                                                          	// Id is the uuid associated with each request
                                                                          	ID string `json:"id" structs:"id" mapstructure:"id" sentinel:""`
                                                                          
                                                                          	// If set, the name given to the replication secondary where this request
                                                                          	// originated
                                                                          	ReplicationCluster string `json:"replication_cluster" structs:"replication_cluster" mapstructure:"replication_cluster" sentinel:""`
                                                                          
                                                                          	// Operation is the requested operation type
                                                                          	Operation Operation `json:"operation" structs:"operation" mapstructure:"operation"`
                                                                          
                                                                          	// Path is the full path of the request
                                                                          	Path string `json:"path" structs:"path" mapstructure:"path" sentinel:""`
                                                                          
                                                                          	// Request data is an opaque map that must have string keys.
                                                                          	Data map[string]interface{} `json:"map" structs:"data" mapstructure:"data"`
                                                                          
                                                                          	// Storage can be used to durably store and retrieve state.
                                                                          	Storage Storage `json:"-" sentinel:""`
                                                                          
                                                                          	// Secret will be non-nil only for Revoke and Renew operations
                                                                          	// to represent the secret that was returned prior.
                                                                          	Secret *Secret `json:"secret" structs:"secret" mapstructure:"secret" sentinel:""`
                                                                          
                                                                          	// Auth will be non-nil only for Renew operations
                                                                          	// to represent the auth that was returned prior.
                                                                          	Auth *Auth `json:"auth" structs:"auth" mapstructure:"auth" sentinel:""`
                                                                          
                                                                          	// Headers will contain the http headers from the request. This value will
                                                                          	// be used in the audit broker to ensure we are auditing only the allowed
                                                                          	// headers.
                                                                          	Headers map[string][]string `json:"headers" structs:"headers" mapstructure:"headers" sentinel:""`
                                                                          
                                                                          	// Connection will be non-nil only for credential providers to
                                                                          	// inspect the connection information and potentially use it for
                                                                          	// authentication/protection.
                                                                          	Connection *Connection `json:"connection" structs:"connection" mapstructure:"connection"`
                                                                          
                                                                          	// ClientToken is provided to the core so that the identity
                                                                          	// can be verified and ACLs applied. This value is passed
                                                                          	// through to the logical backends but after being salted and
                                                                          	// hashed.
                                                                          	ClientToken string `json:"client_token" structs:"client_token" mapstructure:"client_token" sentinel:""`
                                                                          
                                                                          	// ClientTokenAccessor is provided to the core so that the it can get
                                                                          	// logged as part of request audit logging.
                                                                          	ClientTokenAccessor string `json:"client_token_accessor" structs:"client_token_accessor" mapstructure:"client_token_accessor" sentinel:""`
                                                                          
                                                                          	// DisplayName is provided to the logical backend to help associate
                                                                          	// dynamic secrets with the source entity. This is not a sensitive
                                                                          	// name, but is useful for operators.
                                                                          	DisplayName string `json:"display_name" structs:"display_name" mapstructure:"display_name" sentinel:""`
                                                                          
                                                                          	// MountPoint is provided so that a logical backend can generate
                                                                          	// paths relative to itself. The `Path` is effectively the client
                                                                          	// request path with the MountPoint trimmed off.
                                                                          	MountPoint string `json:"mount_point" structs:"mount_point" mapstructure:"mount_point" sentinel:""`
                                                                          
                                                                          	// MountType is provided so that a logical backend can make decisions
                                                                          	// based on the specific mount type (e.g., if a mount type has different
                                                                          	// aliases, generating different defaults depending on the alias)
                                                                          	MountType string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type" sentinel:""`
                                                                          
                                                                          	// MountAccessor is provided so that identities returned by the authentication
                                                                          	// backends can be tied to the mount it belongs to.
                                                                          	MountAccessor string `json:"mount_accessor" structs:"mount_accessor" mapstructure:"mount_accessor" sentinel:""`
                                                                          
                                                                          	// WrapInfo contains requested response wrapping parameters
                                                                          	WrapInfo *RequestWrapInfo `json:"wrap_info" structs:"wrap_info" mapstructure:"wrap_info" sentinel:""`
                                                                          
                                                                          	// ClientTokenRemainingUses represents the allowed number of uses left on the
                                                                          	// token supplied
                                                                          	ClientTokenRemainingUses int `json:"client_token_remaining_uses" structs:"client_token_remaining_uses" mapstructure:"client_token_remaining_uses"`
                                                                          
                                                                          	// EntityID is the identity of the caller extracted out of the token used
                                                                          	// to make this request
                                                                          	EntityID string `json:"entity_id" structs:"entity_id" mapstructure:"entity_id" sentinel:""`
                                                                          
                                                                          	// PolicyOverride indicates that the requestor wishes to override
                                                                          	// soft-mandatory Sentinel policies
                                                                          	PolicyOverride bool `json:"policy_override" structs:"policy_override" mapstructure:"policy_override"`
                                                                          
                                                                          	// Whether the request is unauthenticated, as in, had no client token
                                                                          	// attached. Useful in some situations where the client token is not made
                                                                          	// accessible.
                                                                          	Unauthenticated bool `json:"unauthenticated" structs:"unauthenticated" mapstructure:"unauthenticated"`
                                                                          
                                                                          	// MFACreds holds the parsed MFA information supplied over the API as part of
                                                                          	// X-Vault-MFA header
                                                                          	MFACreds MFACreds `json:"mfa_creds" structs:"mfa_creds" mapstructure:"mfa_creds" sentinel:""`
                                                                          
                                                                          	// ControlGroup holds the authorizations that have happened on this
                                                                          	// request
                                                                          	ControlGroup *ControlGroup `json:"control_group" structs:"control_group" mapstructure:"control_group" sentinel:""`
                                                                          
                                                                          	// ClientTokenSource tells us where the client token was sourced from, so
                                                                          	// we can delete it before sending off to plugins
                                                                          	ClientTokenSource ClientTokenSource
                                                                          
                                                                          	// HTTPRequest, if set, can be used to access fields from the HTTP request
                                                                          	// that generated this logical.Request object, such as the request body.
                                                                          	HTTPRequest *http.Request `json:"-" sentinel:""`
                                                                          
                                                                          	// ResponseWriter if set can be used to stream a response value to the http
                                                                          	// request that generated this logical.Request object.
                                                                          	ResponseWriter *HTTPResponseWriter `json:"-" sentinel:""`
                                                                          	// contains filtered or unexported fields
                                                                          }

                                                                            Request is a struct that stores the parameters and context of a request being made to Vault. It is used to abstract the details of the higher level request protocol from the handlers.

                                                                            Note: Many of these have Sentinel disabled because they are values populated by the router after policy checks; the token namespace would be the right place to access them via Sentinel

                                                                            func RenewAuthRequest

                                                                            func RenewAuthRequest(path string, auth *Auth, data map[string]interface{}) *Request

                                                                              RenewAuthRequest creates the structure of the renew request for an auth.

                                                                              func RenewRequest

                                                                              func RenewRequest(path string, secret *Secret, data map[string]interface{}) *Request

                                                                                RenewRequest creates the structure of the renew request.

                                                                                func RevokeRequest

                                                                                func RevokeRequest(path string, secret *Secret, data map[string]interface{}) *Request

                                                                                  RevokeRequest creates the structure of the revoke request.

                                                                                  func RollbackRequest

                                                                                  func RollbackRequest(path string) *Request

                                                                                    RollbackRequest creates the structure of the revoke request.

                                                                                    func TestRequest

                                                                                    func TestRequest(t testing.T, op Operation, path string) *Request

                                                                                      TestRequest is a helper to create a purely in-memory Request struct.

                                                                                      func (*Request) Clone

                                                                                      func (r *Request) Clone() (*Request, error)

                                                                                        Clone returns a deep copy of the request by using copystructure

                                                                                        func (*Request) Get

                                                                                        func (r *Request) Get(key string) interface{}

                                                                                          Get returns a data field and guards for nil Data

                                                                                          func (*Request) GetString

                                                                                          func (r *Request) GetString(key string) string

                                                                                            GetString returns a data field as a string

                                                                                            func (*Request) GoString

                                                                                            func (r *Request) GoString() string

                                                                                            func (*Request) LastRemoteWAL

                                                                                            func (r *Request) LastRemoteWAL() uint64

                                                                                            func (*Request) ResponseState

                                                                                            func (r *Request) ResponseState() *WALState

                                                                                            func (*Request) SentinelGet

                                                                                            func (r *Request) SentinelGet(key string) (interface{}, error)

                                                                                            func (*Request) SentinelKeys

                                                                                            func (r *Request) SentinelKeys() []string

                                                                                            func (*Request) SetLastRemoteWAL

                                                                                            func (r *Request) SetLastRemoteWAL(last uint64)

                                                                                            func (*Request) SetResponseState

                                                                                            func (r *Request) SetResponseState(w *WALState)

                                                                                            func (*Request) SetTokenEntry

                                                                                            func (r *Request) SetTokenEntry(te *TokenEntry)

                                                                                            func (*Request) TokenEntry

                                                                                            func (r *Request) TokenEntry() *TokenEntry

                                                                                            type RequestWrapInfo

                                                                                            type RequestWrapInfo struct {
                                                                                            	// Setting to non-zero specifies that the response should be wrapped.
                                                                                            	// Specifies the desired TTL of the wrapping token.
                                                                                            	TTL time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl" sentinel:""`
                                                                                            
                                                                                            	// The format to use for the wrapped response; if not specified it's a bare
                                                                                            	// token
                                                                                            	Format string `json:"format" structs:"format" mapstructure:"format" sentinel:""`
                                                                                            
                                                                                            	// A flag to conforming backends that data for a given request should be
                                                                                            	// seal wrapped
                                                                                            	SealWrap bool `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap" sentinel:""`
                                                                                            }

                                                                                              RequestWrapInfo is a struct that stores information about desired response and seal wrapping behavior

                                                                                              func (*RequestWrapInfo) SentinelGet

                                                                                              func (r *RequestWrapInfo) SentinelGet(key string) (interface{}, error)

                                                                                              func (*RequestWrapInfo) SentinelKeys

                                                                                              func (r *RequestWrapInfo) SentinelKeys() []string

                                                                                              type Response

                                                                                              type Response struct {
                                                                                              	// Secret, if not nil, denotes that this response represents a secret.
                                                                                              	Secret *Secret `json:"secret" structs:"secret" mapstructure:"secret"`
                                                                                              
                                                                                              	// Auth, if not nil, contains the authentication information for
                                                                                              	// this response. This is only checked and means something for
                                                                                              	// credential backends.
                                                                                              	Auth *Auth `json:"auth" structs:"auth" mapstructure:"auth"`
                                                                                              
                                                                                              	// Response data is an opaque map that must have string keys. For
                                                                                              	// secrets, this data is sent down to the user as-is. To store internal
                                                                                              	// data that you don't want the user to see, store it in
                                                                                              	// Secret.InternalData.
                                                                                              	Data map[string]interface{} `json:"data" structs:"data" mapstructure:"data"`
                                                                                              
                                                                                              	// Redirect is an HTTP URL to redirect to for further authentication.
                                                                                              	// This is only valid for credential backends. This will be blanked
                                                                                              	// for any logical backend and ignored.
                                                                                              	Redirect string `json:"redirect" structs:"redirect" mapstructure:"redirect"`
                                                                                              
                                                                                              	// Warnings allow operations or backends to return warnings in response
                                                                                              	// to user actions without failing the action outright.
                                                                                              	Warnings []string `json:"warnings" structs:"warnings" mapstructure:"warnings"`
                                                                                              
                                                                                              	// Information for wrapping the response in a cubbyhole
                                                                                              	WrapInfo *wrapping.ResponseWrapInfo `json:"wrap_info" structs:"wrap_info" mapstructure:"wrap_info"`
                                                                                              
                                                                                              	// Headers will contain the http headers from the plugin that it wishes to
                                                                                              	// have as part of the output
                                                                                              	Headers map[string][]string `json:"headers" structs:"headers" mapstructure:"headers"`
                                                                                              }

                                                                                                Response is a struct that stores the response of a request. It is used to abstract the details of the higher level request protocol.

                                                                                                func ErrorResponse

                                                                                                func ErrorResponse(text string, vargs ...interface{}) *Response

                                                                                                  ErrorResponse is used to format an error response

                                                                                                  func HTTPResponseToLogicalResponse

                                                                                                  func HTTPResponseToLogicalResponse(input *HTTPResponse) *Response

                                                                                                  func HelpResponse

                                                                                                  func HelpResponse(text string, seeAlso []string, oapiDoc interface{}) *Response

                                                                                                    HelpResponse is used to format a help response

                                                                                                    func ListResponse

                                                                                                    func ListResponse(keys []string) *Response

                                                                                                      ListResponse is used to format a response to a list operation.

                                                                                                      func ListResponseWithInfo

                                                                                                      func ListResponseWithInfo(keys []string, keyInfo map[string]interface{}) *Response

                                                                                                        ListResponseWithInfo is used to format a response to a list operation and return the keys as well as a map with corresponding key info.

                                                                                                        func RespondWithStatusCode

                                                                                                        func RespondWithStatusCode(resp *Response, req *Request, code int) (*Response, error)

                                                                                                          RespondWithStatusCode takes a response and converts it to a raw response with the provided Status Code.

                                                                                                          func (*Response) AddWarning

                                                                                                          func (r *Response) AddWarning(warning string)

                                                                                                            AddWarning adds a warning into the response's warning list

                                                                                                            func (*Response) Error

                                                                                                            func (r *Response) Error() error

                                                                                                            func (*Response) IsError

                                                                                                            func (r *Response) IsError() bool

                                                                                                              IsError returns true if this response seems to indicate an error.

                                                                                                              type Secret

                                                                                                              type Secret struct {
                                                                                                              	LeaseOptions
                                                                                                              
                                                                                                              	// InternalData is JSON-encodable data that is stored with the secret.
                                                                                                              	// This will be sent back during a Renew/Revoke for storing internal data
                                                                                                              	// used for those operations.
                                                                                                              	InternalData map[string]interface{} `json:"internal_data" sentinel:""`
                                                                                                              
                                                                                                              	// LeaseID is the ID returned to the user to manage this secret.
                                                                                                              	// This is generated by Vault core. Any set value will be ignored.
                                                                                                              	// For requests, this will always be blank.
                                                                                                              	LeaseID string `sentinel:""`
                                                                                                              }

                                                                                                                Secret represents the secret part of a response.

                                                                                                                func (*Secret) GoString

                                                                                                                func (s *Secret) GoString() string

                                                                                                                func (*Secret) Validate

                                                                                                                func (s *Secret) Validate() error

                                                                                                                type StaticSystemView

                                                                                                                type StaticSystemView struct {
                                                                                                                	DefaultLeaseTTLVal  time.Duration
                                                                                                                	MaxLeaseTTLVal      time.Duration
                                                                                                                	SudoPrivilegeVal    bool
                                                                                                                	TaintedVal          bool
                                                                                                                	CachingDisabledVal  bool
                                                                                                                	Primary             bool
                                                                                                                	EnableMlock         bool
                                                                                                                	LocalMountVal       bool
                                                                                                                	ReplicationStateVal consts.ReplicationState
                                                                                                                	EntityVal           *Entity
                                                                                                                	GroupsVal           []*Group
                                                                                                                	Features            license.Features
                                                                                                                	VaultVersion        string
                                                                                                                	PluginEnvironment   *PluginEnvironment
                                                                                                                	PasswordPolicies    map[string]PasswordGenerator
                                                                                                                }

                                                                                                                func TestSystemView

                                                                                                                func TestSystemView() *StaticSystemView

                                                                                                                func (StaticSystemView) Auditor

                                                                                                                func (d StaticSystemView) Auditor() Auditor

                                                                                                                func (StaticSystemView) CachingDisabled

                                                                                                                func (d StaticSystemView) CachingDisabled() bool

                                                                                                                func (StaticSystemView) DefaultLeaseTTL

                                                                                                                func (d StaticSystemView) DefaultLeaseTTL() time.Duration

                                                                                                                func (*StaticSystemView) DeletePasswordPolicy

                                                                                                                func (d *StaticSystemView) DeletePasswordPolicy(name string) (existed bool)

                                                                                                                func (StaticSystemView) EntityInfo

                                                                                                                func (d StaticSystemView) EntityInfo(entityID string) (*Entity, error)

                                                                                                                func (StaticSystemView) ForwardGenericRequest

                                                                                                                func (d StaticSystemView) ForwardGenericRequest(ctx context.Context, req *Request) (*Response, error)

                                                                                                                func (StaticSystemView) GeneratePasswordFromPolicy

                                                                                                                func (d StaticSystemView) GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error)

                                                                                                                func (StaticSystemView) GroupsForEntity

                                                                                                                func (d StaticSystemView) GroupsForEntity(entityID string) ([]*Group, error)

                                                                                                                func (StaticSystemView) HasFeature

                                                                                                                func (d StaticSystemView) HasFeature(feature license.Features) bool

                                                                                                                func (StaticSystemView) LocalMount

                                                                                                                func (d StaticSystemView) LocalMount() bool

                                                                                                                func (StaticSystemView) LookupPlugin

                                                                                                                func (StaticSystemView) MaxLeaseTTL

                                                                                                                func (d StaticSystemView) MaxLeaseTTL() time.Duration

                                                                                                                func (StaticSystemView) MlockEnabled

                                                                                                                func (d StaticSystemView) MlockEnabled() bool

                                                                                                                func (StaticSystemView) PluginEnv

                                                                                                                func (StaticSystemView) ReplicationState

                                                                                                                func (d StaticSystemView) ReplicationState() consts.ReplicationState

                                                                                                                func (StaticSystemView) ResponseWrapData

                                                                                                                func (d StaticSystemView) ResponseWrapData(_ context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error)

                                                                                                                func (*StaticSystemView) SetPasswordPolicy

                                                                                                                func (d *StaticSystemView) SetPasswordPolicy(name string, generator PasswordGenerator)

                                                                                                                func (StaticSystemView) SudoPrivilege

                                                                                                                func (d StaticSystemView) SudoPrivilege(_ context.Context, path string, token string) bool

                                                                                                                func (StaticSystemView) Tainted

                                                                                                                func (d StaticSystemView) Tainted() bool

                                                                                                                type StatusBadRequest

                                                                                                                type StatusBadRequest struct {
                                                                                                                	Err string
                                                                                                                }

                                                                                                                  Struct to identify user input errors. This is helpful in responding the appropriate status codes to clients from the HTTP endpoints.

                                                                                                                  func (*StatusBadRequest) Error

                                                                                                                  func (s *StatusBadRequest) Error() string

                                                                                                                    Implementing error interface

                                                                                                                    type Storage

                                                                                                                    type Storage interface {
                                                                                                                    	List(context.Context, string) ([]string, error)
                                                                                                                    	Get(context.Context, string) (*StorageEntry, error)
                                                                                                                    	Put(context.Context, *StorageEntry) error
                                                                                                                    	Delete(context.Context, string) error
                                                                                                                    }

                                                                                                                      Storage is the way that logical backends are able read/write data.

                                                                                                                      type StorageEntry

                                                                                                                      type StorageEntry struct {
                                                                                                                      	Key      string
                                                                                                                      	Value    []byte
                                                                                                                      	SealWrap bool
                                                                                                                      }

                                                                                                                        StorageEntry is the entry for an item in a Storage implementation.

                                                                                                                        func StorageEntryJSON

                                                                                                                        func StorageEntryJSON(k string, v interface{}) (*StorageEntry, error)

                                                                                                                          StorageEntryJSON creates a StorageEntry with a JSON-encoded value.

                                                                                                                          func (*StorageEntry) DecodeJSON

                                                                                                                          func (e *StorageEntry) DecodeJSON(out interface{}) error

                                                                                                                            DecodeJSON decodes the 'Value' present in StorageEntry.

                                                                                                                            type StorageView

                                                                                                                            type StorageView struct {
                                                                                                                            	// contains filtered or unexported fields
                                                                                                                            }

                                                                                                                            func NewStorageView

                                                                                                                            func NewStorageView(storage Storage, prefix string) *StorageView

                                                                                                                            func (*StorageView) Delete

                                                                                                                            func (s *StorageView) Delete(ctx context.Context, key string) error

                                                                                                                              logical.Storage impl.

                                                                                                                              func (*StorageView) ExpandKey

                                                                                                                              func (s *StorageView) ExpandKey(suffix string) string

                                                                                                                                ExpandKey is used to expand to the full key path with the prefix

                                                                                                                                func (*StorageView) Get

                                                                                                                                func (s *StorageView) Get(ctx context.Context, key string) (*StorageEntry, error)

                                                                                                                                  logical.Storage impl.

                                                                                                                                  func (*StorageView) List

                                                                                                                                  func (s *StorageView) List(ctx context.Context, prefix string) ([]string, error)

                                                                                                                                    logical.Storage impl.

                                                                                                                                    func (*StorageView) Prefix

                                                                                                                                    func (s *StorageView) Prefix() string

                                                                                                                                    func (*StorageView) Put

                                                                                                                                    func (s *StorageView) Put(ctx context.Context, entry *StorageEntry) error

                                                                                                                                      logical.Storage impl.

                                                                                                                                      func (*StorageView) SanityCheck

                                                                                                                                      func (s *StorageView) SanityCheck(key string) error

                                                                                                                                        SanityCheck is used to perform a sanity check on a key

                                                                                                                                        func (*StorageView) SubView

                                                                                                                                        func (s *StorageView) SubView(prefix string) *StorageView

                                                                                                                                          SubView constructs a nested sub-view using the given prefix

                                                                                                                                          func (*StorageView) TruncateKey

                                                                                                                                          func (s *StorageView) TruncateKey(full string) string

                                                                                                                                            TruncateKey is used to remove the prefix of the key

                                                                                                                                            type SystemView

                                                                                                                                            type SystemView interface {
                                                                                                                                            	// DefaultLeaseTTL returns the default lease TTL set in Vault configuration
                                                                                                                                            	DefaultLeaseTTL() time.Duration
                                                                                                                                            
                                                                                                                                            	// MaxLeaseTTL returns the max lease TTL set in Vault configuration; backend
                                                                                                                                            	// authors should take care not to issue credentials that last longer than
                                                                                                                                            	// this value, as Vault will revoke them
                                                                                                                                            	MaxLeaseTTL() time.Duration
                                                                                                                                            
                                                                                                                                            	// Returns true if the mount is tainted. A mount is tainted if it is in the
                                                                                                                                            	// process of being unmounted. This should only be used in special
                                                                                                                                            	// circumstances; a primary use-case is as a guard in revocation functions.
                                                                                                                                            	// If revocation of a backend's leases fails it can keep the unmounting
                                                                                                                                            	// process from being successful. If the reason for this failure is not
                                                                                                                                            	// relevant when the mount is tainted (for instance, saving a CRL to disk
                                                                                                                                            	// when the stored CRL will be removed during the unmounting process
                                                                                                                                            	// anyways), we can ignore the errors to allow unmounting to complete.
                                                                                                                                            	Tainted() bool
                                                                                                                                            
                                                                                                                                            	// Returns true if caching is disabled. If true, no caches should be used,
                                                                                                                                            	// despite known slowdowns.
                                                                                                                                            	CachingDisabled() bool
                                                                                                                                            
                                                                                                                                            	// When run from a system view attached to a request, indicates whether the
                                                                                                                                            	// request is affecting a local mount or not
                                                                                                                                            	LocalMount() bool
                                                                                                                                            
                                                                                                                                            	// ReplicationState indicates the state of cluster replication
                                                                                                                                            	ReplicationState() consts.ReplicationState
                                                                                                                                            
                                                                                                                                            	// HasFeature returns true if the feature is currently enabled
                                                                                                                                            	HasFeature(feature license.Features) bool
                                                                                                                                            
                                                                                                                                            	// ResponseWrapData wraps the given data in a cubbyhole and returns the
                                                                                                                                            	// token used to unwrap.
                                                                                                                                            	ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error)
                                                                                                                                            
                                                                                                                                            	// LookupPlugin looks into the plugin catalog for a plugin with the given
                                                                                                                                            	// name. Returns a PluginRunner or an error if a plugin can not be found.
                                                                                                                                            	LookupPlugin(context.Context, string, consts.PluginType) (*pluginutil.PluginRunner, error)
                                                                                                                                            
                                                                                                                                            	// MlockEnabled returns the configuration setting for enabling mlock on
                                                                                                                                            	// plugins.
                                                                                                                                            	MlockEnabled() bool
                                                                                                                                            
                                                                                                                                            	// EntityInfo returns a subset of information related to the identity entity
                                                                                                                                            	// for the given entity id
                                                                                                                                            	EntityInfo(entityID string) (*Entity, error)
                                                                                                                                            
                                                                                                                                            	// GroupsForEntity returns the group membership information for the provided
                                                                                                                                            	// entity id
                                                                                                                                            	GroupsForEntity(entityID string) ([]*Group, error)
                                                                                                                                            
                                                                                                                                            	// PluginEnv returns Vault environment information used by plugins
                                                                                                                                            	PluginEnv(context.Context) (*PluginEnvironment, error)
                                                                                                                                            
                                                                                                                                            	// GeneratePasswordFromPolicy generates a password from the policy referenced.
                                                                                                                                            	// If the policy does not exist, this will return an error.
                                                                                                                                            	GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error)
                                                                                                                                            }

                                                                                                                                              SystemView exposes system configuration information in a safe way for logical backends to consume

                                                                                                                                              type TokenEntry

                                                                                                                                              type TokenEntry struct {
                                                                                                                                              	Type TokenType `json:"type" mapstructure:"type" structs:"type" sentinel:""`
                                                                                                                                              
                                                                                                                                              	// ID of this entry, generally a random UUID
                                                                                                                                              	ID string `json:"id" mapstructure:"id" structs:"id" sentinel:""`
                                                                                                                                              
                                                                                                                                              	// Accessor for this token, a random UUID
                                                                                                                                              	Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor" sentinel:""`
                                                                                                                                              
                                                                                                                                              	// Parent token, used for revocation trees
                                                                                                                                              	Parent string `json:"parent" mapstructure:"parent" structs:"parent" sentinel:""`
                                                                                                                                              
                                                                                                                                              	// Which named policies should be used
                                                                                                                                              	Policies []string `json:"policies" mapstructure:"policies" structs:"policies"`
                                                                                                                                              
                                                                                                                                              	// Used for audit trails, this is something like "auth/user/login"
                                                                                                                                              	Path string `json:"path" mapstructure:"path" structs:"path"`
                                                                                                                                              
                                                                                                                                              	// Used for auditing. This could include things like "source", "user", "ip"
                                                                                                                                              	Meta map[string]string `json:"meta" mapstructure:"meta" structs:"meta" sentinel:"meta"`
                                                                                                                                              
                                                                                                                                              	// Used for operators to be able to associate with the source
                                                                                                                                              	DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"`
                                                                                                                                              
                                                                                                                                              	// Used to restrict the number of uses (zero is unlimited). This is to
                                                                                                                                              	// support one-time-tokens (generalized). There are a few special values:
                                                                                                                                              	// if it's -1 it has run through its use counts and is executing its final
                                                                                                                                              	// use; if it's -2 it is tainted, which means revocation is currently
                                                                                                                                              	// running on it; and if it's -3 it's also tainted but revocation
                                                                                                                                              	// previously ran and failed, so this hints the tidy function to try it
                                                                                                                                              	// again.
                                                                                                                                              	NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`
                                                                                                                                              
                                                                                                                                              	// Time of token creation
                                                                                                                                              	CreationTime int64 `json:"creation_time" mapstructure:"creation_time" structs:"creation_time" sentinel:""`
                                                                                                                                              
                                                                                                                                              	// Duration set when token was created
                                                                                                                                              	TTL time.Duration `json:"ttl" mapstructure:"ttl" structs:"ttl" sentinel:""`
                                                                                                                                              
                                                                                                                                              	// Explicit maximum TTL on the token
                                                                                                                                              	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl" sentinel:""`
                                                                                                                                              
                                                                                                                                              	// If set, the role that was used for parameters at creation time
                                                                                                                                              	Role string `json:"role" mapstructure:"role" structs:"role"`
                                                                                                                                              
                                                                                                                                              	// If set, the period of the token. This is only used when created directly
                                                                                                                                              	// through the create endpoint; periods managed by roles or other auth
                                                                                                                                              	// backends are subject to those renewal rules.
                                                                                                                                              	Period time.Duration `json:"period" mapstructure:"period" structs:"period" sentinel:""`
                                                                                                                                              
                                                                                                                                              	// These are the deprecated fields
                                                                                                                                              	DisplayNameDeprecated    string        `json:"DisplayName" mapstructure:"DisplayName" structs:"DisplayName" sentinel:""`
                                                                                                                                              	NumUsesDeprecated        int           `json:"NumUses" mapstructure:"NumUses" structs:"NumUses" sentinel:""`
                                                                                                                                              	CreationTimeDeprecated   int64         `json:"CreationTime" mapstructure:"CreationTime" structs:"CreationTime" sentinel:""`
                                                                                                                                              	ExplicitMaxTTLDeprecated time.Duration `json:"ExplicitMaxTTL" mapstructure:"ExplicitMaxTTL" structs:"ExplicitMaxTTL" sentinel:""`
                                                                                                                                              
                                                                                                                                              	EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"`
                                                                                                                                              
                                                                                                                                              	// The set of CIDRs that this token can be used with
                                                                                                                                              	BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs" sentinel:""`
                                                                                                                                              
                                                                                                                                              	// NamespaceID is the identifier of the namespace to which this token is
                                                                                                                                              	// confined to. Do not return this value over the API when the token is
                                                                                                                                              	// being looked up.
                                                                                                                                              	NamespaceID string `json:"namespace_id" mapstructure:"namespace_id" structs:"namespace_id" sentinel:""`
                                                                                                                                              
                                                                                                                                              	// CubbyholeID is the identifier of the cubbyhole storage belonging to this
                                                                                                                                              	// token
                                                                                                                                              	CubbyholeID string `json:"cubbyhole_id" mapstructure:"cubbyhole_id" structs:"cubbyhole_id" sentinel:""`
                                                                                                                                              }

                                                                                                                                                TokenEntry is used to represent a given token

                                                                                                                                                func (*TokenEntry) SentinelGet

                                                                                                                                                func (te *TokenEntry) SentinelGet(key string) (interface{}, error)

                                                                                                                                                func (*TokenEntry) SentinelKeys

                                                                                                                                                func (te *TokenEntry) SentinelKeys() []string

                                                                                                                                                type TokenType

                                                                                                                                                type TokenType uint8
                                                                                                                                                const (
                                                                                                                                                	// TokenTypeDefault means "use the default, if any, that is currently set
                                                                                                                                                	// on the mount". If not set, results in a Service token.
                                                                                                                                                	TokenTypeDefault TokenType = iota
                                                                                                                                                
                                                                                                                                                	// TokenTypeService is a "normal" Vault token for long-lived services
                                                                                                                                                	TokenTypeService
                                                                                                                                                
                                                                                                                                                	// TokenTypeBatch is a batch token
                                                                                                                                                	TokenTypeBatch
                                                                                                                                                
                                                                                                                                                	// TokenTypeDefaultService, configured on a mount, means that if
                                                                                                                                                	// TokenTypeDefault is sent back by the mount, create Service tokens
                                                                                                                                                	TokenTypeDefaultService
                                                                                                                                                
                                                                                                                                                	// TokenTypeDefaultBatch, configured on a mount, means that if
                                                                                                                                                	// TokenTypeDefault is sent back by the mount, create Batch tokens
                                                                                                                                                	TokenTypeDefaultBatch
                                                                                                                                                )

                                                                                                                                                func (TokenType) String

                                                                                                                                                func (t TokenType) String() string

                                                                                                                                                func (*TokenType) UnmarshalJSON

                                                                                                                                                func (t *TokenType) UnmarshalJSON(b []byte) error

                                                                                                                                                type WALState

                                                                                                                                                type WALState struct {
                                                                                                                                                	ClusterID       string
                                                                                                                                                	LocalIndex      uint64
                                                                                                                                                	ReplicatedIndex uint64
                                                                                                                                                }

                                                                                                                                                func IndexStateFromContext

                                                                                                                                                func IndexStateFromContext(ctx context.Context) *WALState

                                                                                                                                                  IndexStateFromContext is a helper to look up if the provided context contains an index state pointer.