briefcase

package

v2.0.0-...-f3fe0fa Latest Latest Go to latest Published: Apr 14, 2022 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hootsuite/vault-ctrl-tool

Links

Open Source Insights

Documentation ¶

Index ¶

type Briefcase
- func LoadBriefcase(filename string, mtrics *metrics.Metrics) (*Briefcase, error)
- func NewBriefcase(mtrics *metrics.Metrics) *Briefcase
type LeasedAuthToken
type SecretsCache
type SimpleSecret

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Briefcase ¶

type Briefcase struct {
	AuthTokenLease         LeasedAuthToken                `json:"auth"`
	SSHCertificates        map[string]sshCert             `json:"ssh,omitempty"`
	AWSCredentialLeases    map[string]leasedAWSCredential `json:"aws,omitempty"`
	TokenScopedTemplates   map[string]bool                `json:"tokenscoped_templates,omitempty"`
	StaticTemplates        map[string]bool                `json:"static_templates,omitempty"`
	TokenScopedSecrets     map[string]bool                `json:"tokenscoped_secrets,omitempty"`
	StaticScopedSecrets    map[string]bool                `json:"static_secrets,omitempty"`
	VersionScopedSecrets   map[string]int64               `json:"versioned_secrets,omitempty"`
	TokenScopedComposites  map[string]bool                `json:"tokenscoped_composites,omitempty"`
	StaticScopedComposites map[string]bool                `json:"static_composites,omitempty"`
	// contains filtered or unexported fields
}

Briefcase is a serialized file that contains all the information needed for the tool, running in sidecar mode, to keep all the associated leases, secrets, etc refreshed. It also keeps a non-serialized copy of secrets that are used to populate templates.

func LoadBriefcase ¶

func LoadBriefcase(filename string, mtrics *metrics.Metrics) (*Briefcase, error)

func NewBriefcase ¶

func NewBriefcase(mtrics *metrics.Metrics) *Briefcase

NewBriefcase creates an empty briefcase.

func (*Briefcase) AWSCredentialExpiresBefore ¶

func (b *Briefcase) AWSCredentialExpiresBefore(awsConfig config.AWSType, expiresBefore time.Time) bool

STS credentials have a maximum lifetime enforced by AWS. The current expiry is kept in the briefcase and checked to determine if it needs to be refreshed. Services using STS credentials are expected to handle credentials expiring underneath them at any time.

func (*Briefcase) AWSCredentialShouldRefreshBefore ¶

func (b *Briefcase) AWSCredentialShouldRefreshBefore(awsConfig config.AWSType, refreshBefore time.Time) bool

AWSCredentialsShouldRefresh checks if a set of AWS credentials should be force refreshed according to it's refresh_expiry.

func (*Briefcase) EnrollAWSCredential ¶

func (b *Briefcase) EnrollAWSCredential(ctx context.Context, awsCreds *api.Secret, awsConfig config.AWSType, forceRefreshTTL time.Duration)

EnrollAWSCredenntial adds or replaces a managed AWS credential to briefcase. If forceRefreshTTL is not zero then it will associate refresh expirty time with the certificate.

func (*Briefcase) EnrollComposite ¶

func (b *Briefcase) EnrollComposite(composite config.CompositeSecretFile)

func (*Briefcase) EnrollSSHCertificate ¶

func (b *Briefcase) EnrollSSHCertificate(ctx context.Context, sshCertConfig config.SSHCertificateType, forceRefreshTTL time.Duration) error

EnrollSSHCertificate adds a managed SSH certificate to briefcase. If forceRefreshTTL is not zero, then it will associate a refresh expiry time with the certificate.

func (*Briefcase) EnrollSecret ¶

func (b *Briefcase) EnrollSecret(secret config.SecretType)

func (*Briefcase) EnrollTemplate ¶

func (b *Briefcase) EnrollTemplate(tmpl config.TemplateType)

func (*Briefcase) EnrollVaultToken ¶

func (b *Briefcase) EnrollVaultToken(ctx context.Context, token *util.WrappedToken) error

EnrollVaultToken adds the specified vault token (from Vault) to the briefcase. It captures some expiry information so it knows when it needs to be refreshed.

func (*Briefcase) GetSecrets ¶

func (b *Briefcase) GetSecrets(lifetime util.SecretLifetime) []SimpleSecret

func (*Briefcase) HasCachedSecrets ¶

func (b *Briefcase) HasCachedSecrets(lifetime util.SecretLifetime) bool

func (*Briefcase) ResetBriefcase ¶

func (b *Briefcase) ResetBriefcase() *Briefcase

ResetBriefcase is used when a vault token from a briefcase is no longer usable. This means any secrets that weren't "static" will likely soon expire and disappear. By resetting the briefcase, it will cause all the non-static secrets to be recreated.

func (*Briefcase) SaveAs ¶

func (b *Briefcase) SaveAs(filename string) error

func (*Briefcase) ShouldRefreshComposite ¶

func (b *Briefcase) ShouldRefreshComposite(composite config.CompositeSecretFile) bool

func (*Briefcase) ShouldRefreshSSHCertificate ¶

func (b *Briefcase) ShouldRefreshSSHCertificate(sshCertConfig config.SSHCertificateType, expiresBefore time.Time) bool

func (*Briefcase) ShouldRefreshSecret ¶

func (b *Briefcase) ShouldRefreshSecret(secret config.SecretType) bool

func (*Briefcase) ShouldRefreshTemplate ¶

func (b *Briefcase) ShouldRefreshTemplate(tmpl config.TemplateType) bool

func (*Briefcase) ShouldRefreshVaultToken ¶

func (b *Briefcase) ShouldRefreshVaultToken(ctx context.Context) bool

ShouldRefreshVaultToken will return true if it's time to do periodic refresh of the Vault token being used by the tool. This time is established when the token is enrolled into the briefcase. It will return false if the token is not renewable. If the token is needs a refresh but is non-renewable, then it will log (but not throw) an error.

func (*Briefcase) StoreSecrets ¶

func (b *Briefcase) StoreSecrets(lifetime util.SecretLifetime, secrets []SimpleSecret)

type LeasedAuthToken ¶

type LeasedAuthToken struct {
	Accessor    string    `json:"accessor"`
	Renewable   bool      `json:"renewable"`
	Token       string    `json:"token"`
	ExpiresAt   time.Time `json:"expiry"`
	NextRefresh time.Time `json:"next_refresh"`
}

type SecretsCache ¶

type SecretsCache interface {
	HasCachedSecrets(lifetime util.SecretLifetime) bool
	StoreSecrets(lifetime util.SecretLifetime, secrets []SimpleSecret)
	GetSecrets(lifetime util.SecretLifetime) []SimpleSecret
}

SecretsCache is the interface to the non-persisted secrets that are kept in the briefcase. This could probably be kept outside the briefcase, but we use the briefcase as blackboard style runtime state right now.

type SimpleSecret ¶

type SimpleSecret struct {
	Key         string
	Field       string
	Value       interface{}
	Version     *int64
	CreatedTime *time.Time
}

SimpleSecret is a field in a secret, but also contains some important information about the secret itself.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL