secrets

package
v0.0.0-...-ac56535 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 26, 2024 License: AGPL-3.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	GetProvider            = provider.Provider
	GetSecretsState        = getSecretsState
	GetSecretBackendsState = getSecretBackendsState
)

For testing.

Functions

func AdminBackendConfigInfo 

func AdminBackendConfigInfo(model Model) (*provider.ModelBackendConfigInfo, error)

AdminBackendConfigInfo returns the admin config for the secret backends is use by the specified model. If external backend is configured, it returns the external backend together with the "internal" backend and the k8s backend for k8s models.

func AuthTagApp 

func AuthTagApp(authTag names.Tag) string

AuthTagApp returns the application name of the authenticated entity.

func BackendConfigInfo 

func BackendConfigInfo(model Model, sameController bool, backendIDs []string, wantAll bool, authTag names.Tag, leadershipChecker leadership.Checker) (*provider.ModelBackendConfigInfo, error)

BackendConfigInfo returns the config to create a secret backend for the specified backend IDs. This is called to provide config to a client like a unit agent which needs to access secrets. The authTag is the agent which needs access. The client is expected to be restricted to write only those secrets owned by the agent, and read only those secrets shared with the agent. The result includes config for all relevant backends, including the id of the current active backend.

func BackendSummaryInfo 

func BackendSummaryInfo(
	statePool StatePool, backendState SecretsBackendState, secretState SecretsState, controllerUUID string, reveal bool, filter BackendFilter,
) ([]params.SecretBackendResult, error)

BackendSummaryInfo returns a summary of the status of the secret backends relevant to the specified models. This method is used by the secretsbackend and modelmanager client facades; it is tested on the secretsbackend facade package.

func CanManage 

func CanManage(
	api SecretsConsumer, leadershipChecker leadership.Checker,
	authTag names.Tag, uri *coresecrets.URI,
) (leadership.Token, error)

CanManage checks that the authenticated caller can manage the secret, and returns a token to ensure leadership if that is required; ie if the request is for a secret owned by an application, the entity must be the unit leader.

func CanRead 

func CanRead(api SecretsConsumer, authTag names.Tag, uri *coresecrets.URI, entity names.Tag) (bool, error)

CanRead returns true if the specified entity can read the secret.

func DrainBackendConfigInfo 

func DrainBackendConfigInfo(backendID string, model Model, authTag names.Tag, leadershipChecker leadership.Checker) (*provider.ModelBackendConfigInfo, error)

DrainBackendConfigInfo returns the secret backend config for the drain worker to use.

func GetSecretMetadata 

func GetSecretMetadata(
	ownerTag names.Tag, secretsState SecretsMetaState, leadershipChecker leadership.Checker,
	filter func(*coresecrets.SecretMetadata, *coresecrets.SecretRevisionMetadata) bool,
) (params.ListSecretResults, error)

GetSecretMetadata returns the secrets metadata for the given filter.

func IsLeaderUnit 

func IsLeaderUnit(authTag names.Tag, leadershipChecker leadership.Checker) (bool, error)

IsLeaderUnit returns true if the authenticated caller is the unit leader of its application.

func IsSameApplication 

func IsSameApplication(authTag names.Tag, tag names.Tag) bool

IsSameApplication returns true if the authenticated entity and the specified entity are in the same application.

func LeadershipToken 

func LeadershipToken(authTag names.Tag, leadershipChecker leadership.Checker) (leadership.Token, error)

LeadershipToken returns a token used to determine if the authenticated caller is the unit leader of its application.

func OwnerToken 

func OwnerToken(authTag names.Tag, ownerTag names.Tag, leadershipChecker leadership.Checker) (leadership.Token, error)

OwnerToken returns a token used to determine if the specified entity is owned by the authenticated caller.

func PingBackend 

func PingBackend(p provider.SecretBackendProvider, cfg provider.ConfigAttrs) error

PingBackend instantiates a backend and pings it.

func RemoveSecretsForAgent 

func RemoveSecretsForAgent(
	removeState SecretsRemoveState, adminConfigGetter BackendAdminConfigGetter,
	args params.DeleteSecretArgs,
	modelUUID string,
	canDelete func(*coresecrets.URI) error,
) (params.ErrorResults, error)

RemoveSecretsForAgent removes the specified secrets for agent. The secrets are only removed from the state and the caller must have permission to manage the secret(secret owners remove secrets from the backend on uniter side).

func RemoveUserSecrets 

func RemoveUserSecrets(
	removeState SecretsRemoveState, adminConfigGetter BackendAdminConfigGetter,
	authTag names.Tag, args params.DeleteSecretArgs,
	modelUUID string,
	canDelete func(*coresecrets.URI) error,
) (params.ErrorResults, error)

RemoveUserSecrets removes the specified user supplied secrets. The secrets are removed from the state and backend, and the caller must have model admin access.

Types

type BackendAdminConfigGetter 

type BackendAdminConfigGetter func() (*provider.ModelBackendConfigInfo, error)

BackendAdminConfigGetter is a func used to get admin level secret backend config.

type BackendConfigGetter 

type BackendConfigGetter func(backendIDs []string, wantAll bool) (*provider.ModelBackendConfigInfo, error)

BackendConfigGetter is a func used to get secret backend config.

type BackendDrainConfigGetter 

type BackendDrainConfigGetter func(string) (*provider.ModelBackendConfigInfo, error)

BackendDrainConfigGetter is a func used to get secret backend config for draining.

type BackendFilter 

type BackendFilter struct {
	Names []string
	All   bool
}

BackendFilter is used when listing secret backends.

type Credential 

type Credential interface {
	AuthType() string
	Attributes() map[string]string
}

Credential represents a cloud credential.

type ListSecretsState 

type ListSecretsState interface {
	ListSecrets(state.SecretsFilter) ([]*secrets.SecretMetadata, error)
}

ListSecretsState instances provide secret metadata apis.

type Model 

type Model interface {
	ControllerUUID() string
	Cloud() (cloud.Cloud, error)
	CloudCredential() (Credential, error)
	Config() (*config.Config, error)
	UUID() string
	Name() string
	Type() state.ModelType
	State() *state.State

	ModelConfig() (*config.Config, error)
	WatchForModelConfigChanges() state.NotifyWatcher
}

Model defines a subset of state model methods.

func SecretsModel 

func SecretsModel(m *state.Model) Model

SecretsModel wraps a state Model.

type SecretsBackendState 

type SecretsBackendState interface {
	GetSecretBackendByID(ID string) (*secrets.SecretBackend, error)
	ListSecretBackends() ([]*secrets.SecretBackend, error)
}

type SecretsConsumer 

type SecretsConsumer interface {
	SecretAccess(uri *secrets.URI, subject names.Tag) (secrets.SecretRole, error)
}

SecretsConsumer instances provide secret consumer apis.

type SecretsDrainAPI 

type SecretsDrainAPI struct {
	// contains filtered or unexported fields
}

SecretsDrainAPI is the implementation for the SecretsDrain facade.

func NewSecretsDrainAPI 

func NewSecretsDrainAPI(
	authTag names.Tag,
	authorizer facade.Authorizer,
	resources facade.Resources,
	leadershipChecker leadership.Checker,
	model Model,
	secretsState SecretsMetaState,
	secretsConsumer SecretsConsumer,
) (*SecretsDrainAPI, error)

NewSecretsDrainAPI returns a new SecretsDrainAPI.

func (*SecretsDrainAPI) ChangeSecretBackend 

func (s *SecretsDrainAPI) ChangeSecretBackend(args params.ChangeSecretBackendArgs) (params.ErrorResults, error)

ChangeSecretBackend updates the backend for the specified secret after migration done.

func (*SecretsDrainAPI) GetSecretsToDrain 

func (s *SecretsDrainAPI) GetSecretsToDrain() (params.ListSecretResults, error)

GetSecretsToDrain returns metadata for the secrets that need to be drained.

func (*SecretsDrainAPI) WatchSecretBackendChanged 

func (s *SecretsDrainAPI) WatchSecretBackendChanged() (params.NotifyWatchResult, error)

WatchSecretBackendChanged sets up a watcher to notify of changes to the secret backend.

type SecretsGetter 

type SecretsGetter interface {
	GetSecret(*secrets.URI) (*secrets.SecretMetadata, error)
	GetSecretValue(*secrets.URI, int) (secrets.SecretValue, *secrets.ValueRef, error)
}

type SecretsMetaState 

type SecretsMetaState interface {
	ListSecrets(state.SecretsFilter) ([]*secrets.SecretMetadata, error)
	ListSecretRevisions(uri *secrets.URI) ([]*secrets.SecretRevisionMetadata, error)
	SecretGrants(uri *secrets.URI, role secrets.SecretRole) ([]secrets.AccessInfo, error)
	ChangeSecretBackend(state.ChangeSecretBackendParams) error
}

SecretsMetaState instances provide secret metadata apis.

type SecretsRemoveState 

type SecretsRemoveState interface {
	DeleteSecret(*secrets.URI, ...int) ([]secrets.ValueRef, error)
	GetSecret(*secrets.URI) (*secrets.SecretMetadata, error)
	GetSecretRevision(uri *secrets.URI, revision int) (*secrets.SecretRevisionMetadata, error)
	ListSecretRevisions(uri *secrets.URI) ([]*secrets.SecretRevisionMetadata, error)
	ListSecrets(state.SecretsFilter) ([]*secrets.SecretMetadata, error)
}

SecretsRemoveState instances provide secret removal apis.

type SecretsState 

type SecretsState interface {
	ListModelSecrets(all bool) (map[string]set.Strings, error)
}

SecretsState instances provide secret apis.

type StatePool 

type StatePool interface {
	GetModel(modelUUID string) (common.Model, func() bool, error)
}

Source Files

View all Source files

Directories

Path Synopsis
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.