Documentation ¶
Index ¶
- Variables
- func Collections(st Store, parent string) ([]string, error)
- func ConvertKeyring(kr keyring.Keyring, to *Vault) (bool, error)
- func Copy(from Store, to Store, opt ...CopyOption) ([]string, error)
- func SetLogger(l Logger)
- type AuthType
- type Client
- func (c *Client) Vault(ctx context.Context, key *keys.EdX25519Key, index int64) (*Events, error)
- func (c *Client) VaultDelete(ctx context.Context, key *keys.EdX25519Key) error
- func (c *Client) VaultExists(ctx context.Context, key *keys.EdX25519Key) (bool, error)
- func (c *Client) VaultSend(ctx context.Context, key *keys.EdX25519Key, events []*Event) error
- type CopyOption
- type CopyOptions
- type DB
- func (d *DB) Close() error
- func (d *DB) Delete(path string) (bool, error)
- func (d *DB) Exists(path string) (bool, error)
- func (d *DB) Get(path string) ([]byte, error)
- func (d *DB) List(opts *ListOptions) ([]*Entry, error)
- func (d *DB) Name() string
- func (d *DB) Open() error
- func (d *DB) Reset() error
- func (d *DB) Set(path string, b []byte) error
- type Entry
- type Event
- type Events
- type Item
- type ListOptions
- type LogLevel
- type Logger
- type Option
- type Options
- type Provision
- type Remote
- type Response
- type Status
- type Store
- type SyncStatus
- type Vault
- func (v *Vault) CheckSync(ctx context.Context, expire time.Duration) (bool, error)
- func (v *Vault) Clone(ctx context.Context, remote *Remote) error
- func (v *Vault) Close() error
- func (v *Vault) Delete(id string) (bool, error)
- func (v *Vault) Deprovision(id string, force bool) (bool, error)
- func (v *Vault) Get(id string) (*Item, error)
- func (v *Vault) IsEmpty() (bool, error)
- func (v *Vault) ItemHistory(id string) ([]*Item, error)
- func (v *Vault) Items() ([]*Item, error)
- func (v *Vault) Lock()
- func (v *Vault) MasterKey() *[32]byte
- func (v *Vault) Now() time.Time
- func (v *Vault) Open() error
- func (v *Vault) Provision(key *[32]byte, provision *Provision) error
- func (v *Vault) ProvisionSave(provision *Provision) error
- func (v *Vault) Provisions() ([]*Provision, error)
- func (v *Vault) Pull(ctx context.Context) error
- func (v *Vault) Remote() *Remote
- func (v *Vault) Reset() error
- func (v *Vault) Salt() ([]byte, error)
- func (v *Vault) Set(item *Item) error
- func (v *Vault) SetClient(client *Client)
- func (v *Vault) Setup(key *[32]byte, provision *Provision) error
- func (v *Vault) Spew(prefix string, out io.Writer) error
- func (v *Vault) Status() (Status, error)
- func (v *Vault) Store() Store
- func (v *Vault) Sync(ctx context.Context) error
- func (v *Vault) SyncEnabled() (bool, error)
- func (v *Vault) SyncStatus() (*SyncStatus, error)
- func (v *Vault) Unlock(key *[32]byte) (*Provision, error)
- func (v *Vault) UnlockWithPassword(password string, setup bool) error
- func (v *Vault) Unsync(ctx context.Context) error
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var ErrAlreadyOpen = errors.Errorf("vault already open")
ErrAlreadyOpen if you try to open when it is already open.
var ErrAlreadySetup = errors.New("vault is already setup")
ErrAlreadySetup if already setup.
var ErrInvalidAuth = errors.New("invalid auth")
ErrInvalidAuth if auth is invalid.
var ErrItemValueTooLarge = errors.New("item value is too large")
ErrItemValueTooLarge is item value is too large.
var ErrLocked = errors.New("vault is locked")
ErrLocked if you try to access vault while it is locked.
var ErrNotOpen = errors.Errorf("vault not open")
ErrNotOpen if you try to use the vault when it isn't open.
Functions ¶
func Collections ¶
Collections lists collection paths from parent.
func ConvertKeyring ¶
ConvertKeyring converts keyring store.
Types ¶
type Client ¶
Client for API.
func (*Client) Vault ¶
Vault events. Vault data is decrypted using the vault key before being returned. If truncated, there are more results if you call again with the new index.
func (*Client) VaultDelete ¶
VaultDelete removes a vault.
func (*Client) VaultExists ¶
VaultExists checks if vault exists.
type CopyOption ¶
type CopyOption func(*CopyOptions)
CopyOption ...
func SkipExisting ¶
func SkipExisting() CopyOption
SkipExisting to skip existing entries, otherwise error.
type Event ¶
type Event struct { // Path for event. Path string `json:"path" msgpack:"p"` // Data ... Data []byte `json:"data" msgpack:"dat"` // RemoteIndex is set from the remote events API (untrusted). RemoteIndex int64 `json:"-" msgpack:"-"` // RemoteTimestamp is set from the remote events API (untrusted). RemoteTimestamp time.Time `json:"-" msgpack:"-"` }
Event describes a vault event.
type Item ¶
type Item struct { ID string `msgpack:"id"` Data []byte `msgpack:"dat"` // Type for item data. Type string `msgpack:"typ,omitempty"` // Timestamp for item. Timestamp time.Time `msgpack:"cts,omitempty"` }
Item in the vault, uses msgpack.
type ListOptions ¶
ListOptions for listing Store.
type Logger ¶
type Logger interface { Debugf(format string, args ...interface{}) Infof(format string, args ...interface{}) Warningf(format string, args ...interface{}) Errorf(format string, args ...interface{}) Fatalf(format string, args ...interface{}) }
Logger interface used in this package.
type Provision ¶
type Provision struct { ID string `msgpack:"id" json:"id"` Type AuthType `msgpack:"type" json:"type"` CreatedAt time.Time `msgpack:"cts" json:"cts"` // AAGUID (for FIDO2HMACSecret) AAGUID string `msgpack:"aaguid,omitempty" json:"aaguid"` // Salt (for FIDO2HMACSecret) Salt []byte `msgpack:"salt,omitempty" json:"salt"` // NoPin (for FIDO2HMACSecret) NoPin bool `msgpack:"nopin,omitempty" json:"nopin"` }
Provision is unencrypted provision and parameters used by client auth.
func NewProvision ¶
NewProvision creates a new provision.
type Remote ¶
type Remote struct { URL *url.URL `json:"url,omitempty"` Key *keys.EdX25519Key `json:"key"` Salt []byte `json:"salt"` }
Remote for vault.
type Response ¶
type Response struct { Vault []*api.Event `json:"vault" msgpack:"vault"` Index int64 `json:"idx" msgpack:"idx"` Truncated bool `json:"truncated,omitempty" msgpack:"trunc,omitempty"` }
Response ...
type Store ¶
type Store interface { // Name of the Store implementation. Name() string // Get bytes. Get(path string) ([]byte, error) // Set bytes. Set(path string, data []byte) error // Delete bytes. Delete(path string) (bool, error) // List store entries. List(opts *ListOptions) ([]*Entry, error) // Open store. Open() error // Close store. Close() error // Reset store. Reset() error }
Store is the interface used to store data.
type SyncStatus ¶
SyncStatus is status of sync.
type Vault ¶
type Vault struct {
// contains filtered or unexported fields
}
Vault stores keys and secrets.
func New ¶
New vault.
Example ¶
package main import ( "fmt" "log" "time" "github.com/keys-pub/keys-ext/vault" ) func main() { // New vault. // Use vault.NewDB for a persistent store. vlt := vault.New(vault.NewMem()) if err := vlt.Open(); err != nil { log.Fatal(err) } defer vlt.Close() // Setup auth. if err := vlt.UnlockWithPassword("mypassword", true); err != nil { log.Fatal(err) } // Save item. // Item IDs are NOT encrypted locally. item := vault.NewItem("id1", []byte("mysecret"), "", time.Now()) if err := vlt.Set(item); err != nil { log.Fatal(err) } // Get item. out, err := vlt.Get("id1") if err != nil { log.Fatal(err) } fmt.Printf("secret: %s\n", string(out.Data)) // List items. items, err := vlt.Items() if err != nil { log.Fatal(err) } for _, item := range items { fmt.Printf("%s: %v\n", item.ID, string(item.Data)) } }
Output: secret: mysecret id1: mysecret
func (*Vault) CheckSync ¶
CheckSync performs sync unless disabled or already synced recently (within expire duration).
func (*Vault) Deprovision ¶
Deprovision auth. Doesn't require Unlock().
func (*Vault) ItemHistory ¶
ItemHistory returns history of an item. Items with empty data are deleted items. This is slow.
func (*Vault) MasterKey ¶
MasterKey returns master key, if unlocked. The master key is used to encrypt items in the vault. It's not recommended to use this key for anything other than possibly deriving new keys. TODO: Point to spec.
func (*Vault) ProvisionSave ¶
ProvisionSave for auth methods that need to store registration data before key is available (for example, FIDO2 hmac-secret).
func (*Vault) Provisions ¶
Provisions are currently provisioned auth. Doesn't require Unlock().
func (*Vault) Remote ¶
Remote returns remote server and auth, if unlocked. The vault auth key is used to encrypt and verify vault items from the server. This encryption happens on top of the encryption by the master key. TODO: Point to spec.
func (*Vault) Salt ¶
Salt is default salt value, generated on first access. This salt value is not encrypted. Doesn't require Unlock().
func (*Vault) Setup ¶
Setup auth, if no auth exists. Returns ErrAlreadySetup if already setup. Doesn't require Unlock().
func (*Vault) Status ¶
Status returns vault status. If there are no auths or provisions, returns vault.Setup. Doesn't require Unlock(). TODO: We may want to re-think hardware provisioning requiring seperate Unlock step on setup.
func (*Vault) SyncEnabled ¶
SyncEnabled returns true if sync is enabled. Sync is enabled by performing a sync and not having sync disabled.
func (*Vault) SyncStatus ¶
func (v *Vault) SyncStatus() (*SyncStatus, error)
SyncStatus returns status for sync, or nil, if no sync has been performed.
func (*Vault) UnlockWithPassword ¶
UnlockWithPassword unlocks with a password. If setup is true, we are setting up the auth for the first time. This is a convenience method, calling Setup or Unlock with KeyForPassword using the Salt.