Back to

Package vault

v0.0.0 (46c67a1)
Latest Go to latest
Published: 4 days ago | License: MIT | Module:



Package Files


var ErrAlreadySetup = errors.New("vault is already setup")

ErrAlreadySetup if already setup.

var ErrInvalidAuth = errors.New("invalid vault auth")

ErrInvalidAuth if auth is invalid.

var ErrItemValueTooLarge = errors.New("item value is too large")

ErrItemValueTooLarge is item value is too large.

var ErrLocked = errors.New("vault is locked")

ErrLocked if no vault key is set.

var Keys = keysOpts{}

Keys options.

var Secrets = secrets{}

Secrets options.

func ConvertKeyring

func ConvertKeyring(kr keyring.Keyring, to *Vault) (bool, error)

ConvertKeyring converts keyring store.

func Copy

func Copy(from Store, to Store, opt ...CopyOption) ([]string, error)

Copy data from a vault.Store to vault vault.Store. It copies raw data, it doesn't need to be unlocked.

func KeyForItem

func KeyForItem(item *Item) (keys.Key, error)

KeyForItem returns Key from vault.Item or nil if not recognized as a Key.

func SetLogger

func SetLogger(l Logger)

SetLogger sets logger for the package.

type AuthType

type AuthType string

AuthType describes an auth method.

const (
	// UnknownAuth ...
	UnknownAuth AuthType = ""
	// PasswordAuth ...
	PasswordAuth AuthType = "password"
	// FIDO2HMACSecretAuth ...
	FIDO2HMACSecretAuth AuthType = "fido2-hmac-secret" // #nosec

type CopyOption

type CopyOption func(*CopyOptions)

CopyOption ...

func DryRun

func DryRun() CopyOption

DryRun to pretend to copy.

func SkipExisting

func SkipExisting() CopyOption

SkipExisting to skip existing entries, otherwise error.

type CopyOptions

type CopyOptions struct {
	SkipExisting bool
	DryRun       bool

CopyOptions ...

type DB

type DB struct {
	// contains filtered or unexported fields

DB Store.

func NewDB

func NewDB(path string) *DB

NewDB creates DB Store.

func (*DB) Close

func (d *DB) Close() error

Close db.

func (*DB) Delete

func (d *DB) Delete(path string) (bool, error)

Delete from DB.

func (*DB) Documents

func (d *DB) Documents(opt ([]*docs.Document, error)

Documents ...

func (*DB) Exists

func (d *DB) Exists(path string) (bool, error)

Exists if path exists.

func (*DB) Get

func (d *DB) Get(path string) ([]byte, error)

Get from DB.

func (*DB) Name

func (d *DB) Name() string

Name for Store.

func (*DB) Open

func (d *DB) Open() error

Open db.

func (*DB) Set

func (d *DB) Set(path string, b []byte) error

Set in DB.

type Event

type Event interface{}

Event from vault.

type Item

type Item struct {
	ID   string `msgpack:"id"`
	Data []byte `msgpack:"dat"`

	// Type for item data.
	Type string `msgpack:"typ,omitempty"`

	// CreatedAt when item was created.
	CreatedAt time.Time `msgpack:"cts,omitempty"`

Item in the vault.

func ItemForKey

func ItemForKey(key keys.Key) *Item

ItemForKey returns vault.Item for a Key.

func NewItem

func NewItem(id string, b []byte, typ string, createdAt time.Time) *Item

NewItem creates an item.

func (*Item) Encrypt

func (i *Item) Encrypt(mk *[32]byte) ([]byte, error)

Encrypt item.

type KeysOption

type KeysOption func(*KeysOptions)

KeysOption ...

type KeysOptions

type KeysOptions struct {
	Types []keys.KeyType

KeysOptions ...

type LockEvent

type LockEvent struct{}

LockEvent when keyring is locked.

type LogLevel

type LogLevel int

LogLevel ...

const (
	// DebugLevel ...
	DebugLevel LogLevel = 3
	// InfoLevel ...
	InfoLevel LogLevel = 2
	// WarnLevel ...
	WarnLevel LogLevel = 1
	// ErrLevel ...
	ErrLevel LogLevel = 0

func (LogLevel) String

func (l LogLevel) String() string

type Logger

type Logger interface {
	Debugf(format string, args ...interface{})
	Infof(format string, args ...interface{})
	Warningf(format string, args ...interface{})
	Errorf(format string, args ...interface{})
	Fatalf(format string, args ...interface{})

Logger interface used in this package.

func NewLogger

func NewLogger(lev LogLevel) Logger

NewLogger ...

type Option

type Option func(*Options)

Option for Vault.

func WithClock

func WithClock(clock tsutil.Clock) Option

WithClock ...

type Options

type Options struct {
	Clock tsutil.Clock

Options for Vault.

type Provision

type Provision struct {
	ID        string    `msgpack:"id"`
	Type      AuthType  `msgpack:"type"`
	CreatedAt time.Time `msgpack:"cts"`

	// AAGUID (for FIDO2HMACSecret)
	AAGUID string `msgpack:"aaguid,omitempty"`
	// Salt (for FIDO2HMACSecret)
	Salt []byte `msgpack:"salt,omitempty"`
	// NoPin (for FIDO2HMACSecret)
	NoPin bool `msgpack:"nopin,omitempty"`

Provision is unencrypted provision and parameters used by client auth.

func NewProvision

func NewProvision(typ AuthType) *Provision

NewProvision creates a new provision.

type Remote

type Remote struct {
	URL  *url.URL          `json:"url,omitempty"`
	Key  *keys.EdX25519Key `json:"key"`
	Salt []byte            `json:"salt"`

Remote for vault.

func NewRemote

func NewRemote(url *url.URL, key *keys.EdX25519Key, salt []byte) *Remote

NewRemote creates a Remote.

type SecretsOption

type SecretsOption func(*SecretsOptions)

SecretsOption ...

type SecretsOptions

type SecretsOptions struct {
	Query         string
	Sort          string
	SortDirection SortDirection

SecretsOptions ...

type SetEvent

type SetEvent struct {
	ID string

SetEvent when item is saved.

type SortDirection

type SortDirection string

SortDirection direction for sorting.

const (
	// Ascending direction.
	Ascending SortDirection = "asc"
	// Descending direction.
	Descending SortDirection = "desc"

type Status

type Status string

Status for vault.

const (
	// Unknown status.
	Unknown Status = ""
	// Setup if setup needed.
	Setup Status = "setup"
	// Unlocked if unlocked.
	Unlocked Status = "unlocked"
	// Locked if locked.
	Locked Status = "locked"

type Store

type Store interface {
	// Name of the Store implementation.
	Name() string

	// Get bytes.
	Get(path string) ([]byte, error)
	// Set bytes.
	Set(path string, data []byte) error
	// Delete bytes.
	Delete(path string) (bool, error)

	// Documents iterator.
	Documents(opt ([]*docs.Document, error)

	// Open store.
	Open() error
	// Close store.
	Close() error

Store is the interface used to store data.

func NewMem

func NewMem() Store

NewMem returns an in memory Store useful for testing or ephemeral keys.

type SyncStatus

type SyncStatus struct {
	KID      keys.ID
	Salt     []byte
	SyncedAt time.Time

SyncStatus is status of sync.

type UnlockEvent

type UnlockEvent struct {
	Provision *Provision

UnlockEvent when keyring is unlocked.

type Vault

type Vault struct {
	// contains filtered or unexported fields

Vault stores keys and secrets.

func New

func New(st Store, opt ...Option) *Vault

New vault.



vlt := vault.New(vault.NewMem())

if err := vlt.UnlockWithPassword("mypassword", true); err != nil {

item := vault.NewItem("id1", []byte("mysecret"), "", time.Now())
if err := vlt.Set(item); err != nil {

out, err := vlt.Get("id1")
if err != nil {
fmt.Printf("secret: %s\n", string(out.Data))

items, err := vlt.Items()
if err != nil {
for _, item := range items {
	fmt.Printf("%s: %v\n", item.ID, string(item.Data))
secret: mysecret
id1: mysecret

func (*Vault) CheckSync

func (v *Vault) CheckSync(ctx context.Context, expire time.Duration) (bool, error)

CheckSync performs sync unless disabled or already synced recently (within expire duration).

func (*Vault) Clone

func (v *Vault) Clone(ctx context.Context, remote *Remote) error

Clone initializes Vault with from remote.

func (*Vault) Close

func (v *Vault) Close() error

Close vault.

func (*Vault) Collections

func (v *Vault) Collections(parent string) ([]*docs.Collection, error)

Collections from vault db.

func (*Vault) Delete

func (v *Vault) Delete(id string) (bool, error)

Delete vault item.

func (*Vault) DeleteDocument

func (v *Vault) DeleteDocument(path string) (bool, error)

DeleteDocument remotes document from vault.

func (*Vault) Deprovision

func (v *Vault) Deprovision(id string, force bool) (bool, error)

Deprovision auth. Doesn't require Unlock().

func (*Vault) Documents

func (v *Vault) Documents(opt ([]*docs.Document, error)

Documents from Store.

func (*Vault) EdX25519Key

func (v *Vault) EdX25519Key(id keys.ID) (*keys.EdX25519Key, error)

EdX25519Key for id.

func (*Vault) EdX25519Keys

func (v *Vault) EdX25519Keys() ([]*keys.EdX25519Key, error)

EdX25519Keys from the vault.

func (*Vault) EdX25519PublicKey

func (v *Vault) EdX25519PublicKey(kid keys.ID) (*keys.EdX25519PublicKey, error)

EdX25519PublicKey searches all our EdX25519 public keys for a match to a converted X25519 public key.

func (*Vault) EdX25519PublicKeys

func (v *Vault) EdX25519PublicKeys() ([]*keys.EdX25519PublicKey, error)

EdX25519PublicKeys from the vault. Includes public keys of EdX25519Key's.

func (*Vault) ExportSaltpack

func (v *Vault) ExportSaltpack(id keys.ID, password string) (string, error)

ExportSaltpack exports key from the vault to a Saltpack message.

func (*Vault) Get

func (v *Vault) Get(id string) (*Item, error)

Get vault item.

func (*Vault) ImportSaltpack

func (v *Vault) ImportSaltpack(msg string, password string, isHTML bool) (keys.Key, error)

ImportSaltpack imports key into the vault from a Saltpack message.

func (*Vault) IsEmpty

func (v *Vault) IsEmpty() (bool, error)

IsEmpty returns true if vault is empty.

func (*Vault) ItemHistory

func (v *Vault) ItemHistory(id string) ([]*Item, error)

ItemHistory returns history of an item. Items with empty data are deleted items. This is slow.

func (*Vault) Items

func (v *Vault) Items() ([]*Item, error)

Items to list.

func (*Vault) Key

func (v *Vault) Key(id keys.ID) (keys.Key, error)

Key for id.

func (*Vault) Keys

func (v *Vault) Keys(opt ...KeysOption) ([]keys.Key, error)

Keys in the vault.

func (*Vault) Lock

func (v *Vault) Lock()

Lock the vault.

func (*Vault) MasterKey

func (v *Vault) MasterKey() *[32]byte

MasterKey returns master key, if unlocked. The master key is used to encrypt items in the vault. It's not recommended to use this key for anything other than possibly deriving new keys. TODO: Point to spec.

func (*Vault) Open

func (v *Vault) Open() error

Open vault.

func (*Vault) Provision

func (v *Vault) Provision(key *[32]byte, provision *Provision) error

Provision new auth. Requires Unlock().

func (*Vault) ProvisionSave

func (v *Vault) ProvisionSave(provision *Provision) error

ProvisionSave for auth methods that need to store registration data before key is available (for example, FIDO2 hmac-secret).

func (*Vault) Provisions

func (v *Vault) Provisions() ([]*Provision, error)

Provisions are currently provisioned auth. Doesn't require Unlock().

func (*Vault) Pull

func (v *Vault) Pull(ctx context.Context) error

Pull events from remote. Does NOT require Unlock.

func (*Vault) Remote

func (v *Vault) Remote() *Remote

Remote returns remote server and auth, if unlocked. The vault auth key is used to encrypt and verify vault items from the server. This encryption happens on top of the encryption by the master key. TODO: Point to spec.

func (*Vault) Salt

func (v *Vault) Salt() ([]byte, error)

Salt is default salt value, generated on first access. This salt value is not encrypted. Doesn't require Unlock().

func (*Vault) SaveKey

func (v *Vault) SaveKey(key keys.Key) error

SaveKey saves a key.

func (*Vault) SaveSecret

func (v *Vault) SaveSecret(secret *secret.Secret) (*secret.Secret, bool, error)

SaveSecret saves a secret. Returns true if secret was updated.

func (*Vault) Secret

func (v *Vault) Secret(id string) (*secret.Secret, error)

Secret for ID.

func (*Vault) Secrets

func (v *Vault) Secrets(opt ...SecretsOption) ([]*secret.Secret, error)

Secrets ...

func (*Vault) Set

func (v *Vault) Set(item *Item) error

Set vault item.

func (*Vault) SetClient

func (v *Vault) SetClient(client *httpclient.Client)

SetClient sets the client.

func (*Vault) Setup

func (v *Vault) Setup(key *[32]byte, provision *Provision) error

Setup auth, if no auth exists. Returns ErrAlreadySetup if already setup. Doesn't require Unlock().

func (*Vault) Spew

func (v *Vault) Spew(prefix string, out io.Writer) error

Spew to out.

func (*Vault) Status

func (v *Vault) Status() (Status, error)

Status returns vault status. If there are no auths or provisions, returns vault.Setup. Doesn't require Unlock(). TODO: We may want to re-think hardware provisioning requiring seperate Unlock step on setup.

func (*Vault) Sync

func (v *Vault) Sync(ctx context.Context) error

Sync vault.

func (*Vault) SyncEnabled

func (v *Vault) SyncEnabled() (bool, error)

SyncEnabled returns true if sync is enabled. Sync is enabled by performing a sync and not having sync disabled.

func (*Vault) SyncStatus

func (v *Vault) SyncStatus() (*SyncStatus, error)

SyncStatus returns status for sync, or nil, if no sync has been performed.

func (*Vault) Unlock

func (v *Vault) Unlock(key *[32]byte) (*Provision, error)

Unlock with auth. Returns provision used to unlock.

func (*Vault) UnlockWithPassword

func (v *Vault) UnlockWithPassword(password string, setup bool) error

UnlockWithPassword unlocks with a password. If setup is true, we are setting up the auth for the first time. This is a convenience method, calling Setup or Unlock with KeyForPassword using the Salt.

func (*Vault) Unsync

func (v *Vault) Unsync(ctx context.Context) error

Unsync removes vault from the remote and resets the vault log.

The steps for "unsyncing" are: - Delete the vault from the server - Reset log (move pull into push) - Clear status (last synced, push, pull, nonces, rsalt) - Clear remote

func (*Vault) X25519Key

func (v *Vault) X25519Key(id keys.ID) (*keys.X25519Key, error)

X25519Key for id.

func (*Vault) X25519Keys

func (v *Vault) X25519Keys() ([]*keys.X25519Key, error)

X25519Keys from the vault. Also includes edx25519 keys converted to x25519 keys.

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier