vault

package
v0.0.0-...-b25f04e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 23, 2021 License: MIT Imports: 47 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SecretStateAlive uint = iota
	SecretStateDeleted
	SecretStateDestroyed
)

Variables

This section is empty.

Functions

func Canonicalize 

func Canonicalize(p string) string

func CategorizeSANs 

func CategorizeSANs(in []string) (ips []net.IP, domains, emails []string)

func DecodeErrorResponse 

func DecodeErrorResponse(body []byte) error

func EncodePath 

func EncodePath(path, key string, version uint64) string

EncodePath creates a safe-friendly canonical path for the given arguments

func HandleJointKeyUsages 

func HandleJointKeyUsages(usages []string) (ku x509.KeyUsage, eku []x509.ExtKeyUsage, err error)

func IsKeyNotFound 

func IsKeyNotFound(err error) bool

IsKeyNotFound returns true if the given error was created with NewKeyNotFoundError(). False otherwise.

func IsNotFound 

func IsNotFound(err error) bool

IsNotFound returns true if the given error is a SecretNotFound error 

or a KeyNotFound error. Returns false otherwise.

func IsSecretNotFound 

func IsSecretNotFound(err error) bool

IsSecretNotFound returns true if the given error was created with NewSecretNotFoundError(). False otherwise.

func NewKeyNotFoundError 

func NewKeyNotFoundError(path, key string) error

NewKeyNotFoundError returns an error object describing the key that could not be located within the secret it was searched for in. Returning a KeyNotFound error should semantically mean that the secret it would've been contained in was located in the vault.

func NewSecretNotFoundError 

func NewSecretNotFoundError(path string) error

NewSecretNotFoundError returns an error with a message descibing the path which could not be found in the secret backend.

func ParsePath 

func ParsePath(path string) (secret, key string, version uint64)

ParsePath splits the given path string into its respective secret path 

and contained key parts

func ParseSubject 

func ParseSubject(subj string) (pkix.Name, error)

func PathHasKey 

func PathHasKey(path string) bool

PathHasKey returns true if the given path has a key specified in its syntax. False otherwise.

func PathHasVersion 

func PathHasVersion(path string) bool

PathHasVersion returns true if the given path has a version specified in its syntax. False otherwise.

func PathLessThan 

func PathLessThan(left, right string) bool

func StartSOCKS5Server 

func StartSOCKS5Server(dialFn func(string, string) (net.Conn, error)) (string, error)

StartSOCKS5SSH makes an SSH connection according to the given config, starts a local SOCKS5 server on a random port, and then returns the proxy address if the connection was successful and an error if it was unsuccessful.

func StartSSHTunnel 

func StartSSHTunnel(conf SOCKS5SSHConfig) (*ssh.Client, error)

StartSSHTunnel makes an SSH connection according to the given config. It returns an SSH client if it was successful and an error otherwise.

func StrongboxURL 

func StrongboxURL(vaultURL *url.URL) string

func TranslateSignatureAlgorithm 

func TranslateSignatureAlgorithm(signatureAlgorithm string) (sigAlgo x509.SignatureAlgorithm, err error)

Types

type CertOptions 

type CertOptions struct {
	CN                string `json:"common_name"`
	TTL               string `json:"ttl,omitempty"`
	AltNames          string `json:"alt_names,omitempty"`
	IPSans            string `json:"ip_sans,omitempty"`
	ExcludeCNFromSans bool   `json:"exclude_cn_from_sans,omitempty"`
}

type DeleteOpts 

type DeleteOpts struct {
	Destroy bool
	All     bool
}

type MoveCopyOpts 

type MoveCopyOpts struct {
	SkipIfExists bool
	Quiet        bool
	//Deep copies all versions and overwrites all versions at the target location
	Deep bool
	//DeletedVersions undeletes, reads, and redeletes the deleted keys
	// It also puts in dummy destroyed keys to dest to match destroyed keys from src
	//Makes no sense without Deep
	DeletedVersions bool
}

type ProxyRouter 

type ProxyRouter struct {
	ProxyConf httpproxy.Config
}

func NewProxyRouter 

func NewProxyRouter() (*ProxyRouter, error)

func (ProxyRouter) Proxy 

func (n ProxyRouter) Proxy(req *http.Request) (*url.URL, error)

type SOCKS5SSHConfig 

type SOCKS5SSHConfig struct {
	Host                  string
	User                  string
	PrivateKey            []byte
	KnownHostsFile        string
	SkipHostKeyValidation bool
}

SOCKS5SSHConfig contains configuration variables for setting up a SOCKS5 proxy to be tunneled through an SSH connection.

type Secret 

type Secret struct {
	// contains filtered or unexported fields
}

A Secret contains a set of key/value pairs that store anything you want, including passwords, RSAKey keys, usernames, etc.

func NewSecret 

func NewSecret() *Secret

func (*Secret) DHParam 

func (s *Secret) DHParam(length int, skipIfExists bool) error

func (*Secret) Delete 

func (s *Secret) Delete(key string) bool

Delete removes the entry with the given key from the Secret. Returns true if there was a matching object to delete. False otherwise.

func (*Secret) Empty 

func (s *Secret) Empty() bool

Empty returns true if there are no key-value pairs in this Secret object. False otherwise.

func (*Secret) Format 

func (s *Secret) Format(oldKey, newKey, fmtType string, skipIfExists bool) error

func (*Secret) Get 

func (s *Secret) Get(key string) string

Get retrieves the value of the given key, or "" if no such key exists.

func (*Secret) Has 

func (s *Secret) Has(key string) bool

Has returns true if the Secret has defined the given key.

func (*Secret) JSON 

func (s *Secret) JSON() string

JSON converts a Secret to its JSON representation and returns it as a string. Returns an empty string if there were any errors.

func (*Secret) Keys 

func (s *Secret) Keys() []string

func (Secret) MarshalJSON 

func (s Secret) MarshalJSON() ([]byte, error)

func (*Secret) Password 

func (s *Secret) Password(key string, length int, policy string, skipIfExists bool) error

Password creates and stores a new randomized password.

func (*Secret) RSAKey 

func (s *Secret) RSAKey(bits int, skipIfExists bool) error

RSAKey generates a new public/private keypair, and stores it in the secret, under the 'public' and 'private' keys.

func (*Secret) SSHKey 

func (s *Secret) SSHKey(bits int, skipIfExists bool) error

SSHKey generates a new public/private keypair, and stores it in the secret, under the 'public' and 'private' keys.

func (*Secret) Set 

func (s *Secret) Set(key, value string, skipIfExists bool) error

Set stores a value in the Secret, under the given key.

func (*Secret) SingleValue 

func (s *Secret) SingleValue() (string, error)

SingleValue converts a secret to a string representing the value extracted. Returns an error if there are not exactly one results in the secret object

func (*Secret) UnmarshalJSON 

func (s *Secret) UnmarshalJSON(b []byte) error

func (Secret) X509 

func (s Secret) X509(requireKey bool) (*X509, error)

func (*Secret) YAML 

func (s *Secret) YAML() string

YAML converts a Secret to its YAML representation and returns it as a string. Returns an empty string if there were any errors.

type SecretEntry 

type SecretEntry struct {
	Path     string
	Versions []SecretVersion
}

func (SecretEntry) Basename 

func (s SecretEntry) Basename() string

func (SecretEntry) Copy 

func (s SecretEntry) Copy(v *Vault, dst string, opts TreeCopyOpts) error

type SecretVersion 

type SecretVersion struct {
	Data   *Secret
	Number uint
	State  uint
}

type Secrets 

type Secrets []SecretEntry

func (*Secrets) Append 

func (s *Secrets) Append(e SecretEntry)

func (Secrets) Draw 

func (s Secrets) Draw(root string, color, secrets bool) string

func (Secrets) Merge 

func (s1 Secrets) Merge(s2 Secrets) Secrets

func (Secrets) Paths 

func (s Secrets) Paths() []string

func (Secrets) Sort 

func (s Secrets) Sort()

type TreeCopyOpts 

type TreeCopyOpts struct {
	//Clear will wipe the secret in place
	Clear bool
	//Pad will insert dummy versions that have been truncated by Vault
	Pad bool
}

type TreeOpts 

type TreeOpts struct {
	//For tree/paths --keys
	FetchKeys bool
	//v2 backends show deleted secrets in the list by default
	//Leaving this unset will cause entries with the latest
	//version deleted to be purged
	//Ignored by constructTree. Just used by ConstructSecrets
	AllowDeletedSecrets bool
	//Overridden by FetchKeys
	SkipVersionInfo bool
	//Whether to get all versions of keys in the tree
	FetchAllVersions bool
	//GetDeletedVersions tells the workers to temporarily undelete deleted
	// keys to fetch their value, then delete them again
	GetDeletedVersions bool
	//Only perform gets. If the target is not a secret, then an error is returned
	GetOnly bool
}

type Vault 

type Vault struct {
	// contains filtered or unexported fields
}

func NewVault 

func NewVault(conf VaultConfig) (*Vault, error)

NewVault creates a new Vault object. If an empty token is specified, the current user's token is read from ~/.vault-token.

func (*Vault) AddMount 

func (v *Vault) AddMount(path string, version int) error

func (*Vault) CheckPKIBackend 

func (v *Vault) CheckPKIBackend(backend string) error

func (*Vault) Client 

func (v *Vault) Client() *vaultkv.KV

func (*Vault) ConstructSecrets 

func (v *Vault) ConstructSecrets(path string, opts TreeOpts) (s Secrets, err error)

func (*Vault) Copy 

func (v *Vault) Copy(oldpath, newpath string, opts MoveCopyOpts) error

Copy copies secrets from one path to another. With a secret:key specified: key -> key is good. key -> no-key is okay - we assume to keep old key name no-key -> key is bad. That makes no sense and the user should feel bad. Returns KeyNotFoundError if there is no such specified key in the secret at oldpath

func (*Vault) CreateSignedCertificate 

func (v *Vault) CreateSignedCertificate(backend, role, path string, params CertOptions, skipIfExists bool) error

func (*Vault) Curl 

func (v *Vault) Curl(method string, path string, body []byte) (*http.Response, error)

func (*Vault) Delete 

func (v *Vault) Delete(path string, opts DeleteOpts) error

Delete removes the secret or key stored at the specified path. If destroy is true and the mount is v2, the latest version is destroyed instead

func (*Vault) DeleteTree 

func (v *Vault) DeleteTree(root string, opts DeleteOpts) error

DeleteTree recursively deletes the leaf nodes beneath the given root until the root has no children, and then deletes that.

func (*Vault) DeleteVersions 

func (v *Vault) DeleteVersions(path string, versions []uint) error

DeleteVersions marks the given versions of the given secret as deleted for a v2 backend or actually deletes it for a v1 backend.

func (*Vault) DestroyVersions 

func (v *Vault) DestroyVersions(path string, versions []uint) error

DestroyVersions irrevocably destroys the given versions of the given secret

func (*Vault) FindSigningCA 

func (v *Vault) FindSigningCA(cert *X509, certPath string, signPath string) (*X509, string, error)

func (*Vault) Init 

func (v *Vault) Init(nkeys, threshold int) ([]string, string, error)

func (*Vault) IsMounted 

func (v *Vault) IsMounted(typ, path string) (bool, error)

func (*Vault) List 

func (v *Vault) List(path string) (paths []string, err error)

List returns the set of (relative) paths that are directly underneath the given path. Intermediate path nodes are suffixed with a single "/", whereas leaf nodes (the secrets themselves) are not.

func (*Vault) ListMounts 

func (v *Vault) ListMounts() (mounts []string, err error)

func (*Vault) Mount 

func (v *Vault) Mount(typ, path string, params map[string]interface{}) error

func (*Vault) MountExists 

func (v *Vault) MountExists(path string) (bool, error)

func (*Vault) MountVersion 

func (v *Vault) MountVersion(path string) (uint, error)

func (*Vault) Mounts 

func (v *Vault) Mounts(typ string) ([]string, error)

func (*Vault) Move 

func (v *Vault) Move(oldpath, newpath string, opts MoveCopyOpts) error

Move moves secrets from one path to another. A move is semantically a copy and then a deletion of the original item. For more information on the behavior of Move pertaining to keys, look at Copy.

func (*Vault) MoveCopyTree 

func (v *Vault) MoveCopyTree(oldRoot, newRoot string, f func(string, string, MoveCopyOpts) error, opts MoveCopyOpts) error

MoveCopyTree will recursively copy all nodes from the root to the new location. This function will get confused about 'secret:key' syntax, so don't let those get routed here - they don't make sense for a recursion anyway.

func (*Vault) NewRootToken 

func (v *Vault) NewRootToken(keys []string) (string, error)

func (*Vault) ReKey 

func (v *Vault) ReKey(unsealKeyCount, numToUnseal int, pgpKeys []string) ([]string, error)

func (*Vault) Read 

func (v *Vault) Read(path string) (secret *Secret, err error)

Read checks the Vault for a Secret at the specified path, and returns it. If there is nothing at that path, a nil *Secret will be returned, with no error.

func (*Vault) RenewLease 

func (v *Vault) RenewLease() error

func (*Vault) RetrievePem 

func (v *Vault) RetrievePem(backend, path string) ([]byte, error)

func (*Vault) RevokeCertificate 

func (v *Vault) RevokeCertificate(backend, serial string) error

func (*Vault) SaveSealKeys 

func (v *Vault) SaveSealKeys(keys []string)

func (*Vault) Seal 

func (v *Vault) Seal() (bool, error)

func (*Vault) SealKeys 

func (v *Vault) SealKeys() (int, error)

SealKeys returns the threshold for unsealing the vault

func (*Vault) Sealed 

func (v *Vault) Sealed() (bool, error)

func (*Vault) SetURL 

func (v *Vault) SetURL(u string)

func (*Vault) Strongbox 

func (v *Vault) Strongbox() (map[string]string, error)

func (*Vault) Undelete 

func (v *Vault) Undelete(path string) error

func (*Vault) Unseal 

func (v *Vault) Unseal(keys []string) error

func (*Vault) Versions 

func (v *Vault) Versions(path string) ([]vaultkv.KVVersion, error)

func (*Vault) Write 

func (v *Vault) Write(path string, s *Secret) error

Write takes a Secret and writes it to the Vault at the specified path.

type VaultConfig 

type VaultConfig struct {
	URL        string
	Token      string
	Namespace  string
	CACerts    *x509.CertPool
	SkipVerify bool
}

type X509 

type X509 struct {
	Intermediaries []*x509.Certificate
	Certificate    *x509.Certificate
	PrivateKey     *rsa.PrivateKey
	Serial         *big.Int
	CRL            *pkix.CertificateList

	KeyUsage    x509.KeyUsage
	ExtKeyUsage []x509.ExtKeyUsage
}

func NewCertificate 

func NewCertificate(subj string, names, keyUsage []string, signatureAlgorithm string, bits int) (*X509, error)

func (X509) CheckStrength 

func (x X509) CheckStrength(bits ...int) error

func (X509) Expired 

func (x X509) Expired() bool

func (*X509) ExpiryString 

func (c *X509) ExpiryString() string

func (*X509) FormatSerial 

func (c *X509) FormatSerial() string

func (*X509) HasRevoked 

func (ca *X509) HasRevoked(cert *X509) bool

func (*X509) IntermediarySubject 

func (x *X509) IntermediarySubject(n int) string

func (X509) IsCA 

func (x X509) IsCA() bool

func (*X509) Issuer 

func (x *X509) Issuer() string

func (*X509) MakeCA 

func (x *X509) MakeCA()

func (*X509) Revoke 

func (ca *X509) Revoke(cert *X509)

func (*X509) SaveTo 

func (ca *X509) SaveTo(v *Vault, path string, skipIfExists bool) error

func (X509) Secret 

func (x X509) Secret(skipIfExists bool) (*Secret, error)

func (*X509) Sign 

func (ca *X509) Sign(x *X509, ttl time.Duration) error

func (*X509) Subject 

func (x *X509) Subject() string

func (X509) ValidFor 

func (x X509) ValidFor(names ...string) (bool, error)

func (X509) ValidForDomain 

func (x X509) ValidForDomain(domain string) bool

func (X509) ValidForEmail 

func (x X509) ValidForEmail(email string) bool

func (X509) ValidForIP 

func (x X509) ValidForIP(ip net.IP) bool

func (X509) Validate 

func (x X509) Validate() error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.