kes

package module

v0.6.1 Latest Latest Go to latest Published: Mar 18, 2020 License: AGPL-3.0 Imports: 12 Imported by: 20

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/minio/kes

Links

Open Source Insights

README ¶

Kes

Kes is a tool for managing and distributing secret keys at scale. In particular, it decouples a traditional key-management-system (KMS) - like AWS-KMS or Hashicorp Vault from large-scale and high-performance applications.

Install

Binary Releases

OS	ARCH	Binary
Linux	amd64	linux-amd64
Linux	arm	linux-arm
Apple	amd64	darwin-amd64
Windows	amd64	windows-amd64

You can also verify the binary with minisign by downloading the corresponding .minisign signature file. Then run:

minisign -Vm <OS-ARCH>.zip -P RWRcOzQ19UrKLp4rkfssIwwWiWagluGJ8fpUBh/BeH+bZV3keFcdIJTF

Docker

Pull the latest release via:

docker pull minio/kes

Build from source

GO111MODULE=on go get github.com/minio/kes/cmd/kes

You will need a working Go environment. Therefore, please follow How to install Go. Minimum version required is go1.13

Getting Started

For your first steps checkout our Getting Started guide.

License

Use of kes is governed by the AGPLv3 license that can be found in the LICENSE file.

Documentation ¶

Index ¶

type Client
- func NewClient(addr string, config *tls.Config) *Client
type Error
- func NewError(code int, msg string) Error
- func (e Error) Error() string
- func (e Error) Status() int
type Identity
- func (id Identity) IsUnknown() bool
- func (id Identity) String() string
type Policy
- func NewPolicy(patterns ...string) (*Policy, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

func NewClient ¶

func NewClient(addr string, config *tls.Config) *Client

func (*Client) AssignIdentity ¶

func (c *Client) AssignIdentity(policy string, id Identity) error

func (*Client) CreateKey ¶

func (c *Client) CreateKey(name string) error

CreateKey tries to create a new master key with the specified name. The master key will be generated by the KES server.

func (*Client) DecryptDataKey ¶

func (c *Client) DecryptDataKey(name string, ciphertext, context []byte) ([]byte, error)

func (*Client) DeleteKey ¶

func (c *Client) DeleteKey(name string) error

func (*Client) DeletePolicy ¶

func (c *Client) DeletePolicy(name string) error

func (*Client) ForgetIdentity ¶

func (c *Client) ForgetIdentity(id Identity) error

func (*Client) GenerateDataKey ¶

func (c *Client) GenerateDataKey(name string, context []byte) ([]byte, []byte, error)

func (*Client) ImportKey ¶ added in v0.5.0

func (c *Client) ImportKey(name string, key []byte) error

ImportKey tries to import key as new master key with the specified name. In contrast to CreateKey, the client specifies, and therefore, knows the value of the master key.

func (*Client) ListIdentities ¶

func (c *Client) ListIdentities(pattern string) (map[Identity]string, error)

func (*Client) ListPolicies ¶

func (c *Client) ListPolicies(pattern string) ([]string, error)

func (*Client) ReadPolicy ¶

func (c *Client) ReadPolicy(name string) (*Policy, error)

func (*Client) TraceAuditLog ¶ added in v0.5.0

func (c *Client) TraceAuditLog() (io.ReadCloser, error)

func (*Client) Transport ¶

func (c *Client) Transport(transport http.RoundTripper)

func (*Client) Version ¶ added in v0.6.0

func (c *Client) Version() (string, error)

Version tries to fetch the version information from the KES server.

func (*Client) WritePolicy ¶

func (c *Client) WritePolicy(name string, policy *Policy) error

type Error ¶ added in v0.6.0

type Error struct {
	// contains filtered or unexported fields
}

Error is the type of client-server API errors. A Client returns an Error if a server responds with a well-formed error message.

An Error contains the HTTP status code sent by the server. Errors with the same status code and error message are equal. In particular:

ErrKeyExists == NewError(400, "key does already exist") // true

The client may distinguish errors as following:

switch err := client.CreateKey("example-key"); err {
    case nil: // Success!
    case ErrKeyExists:
       // The key "example-key" already exists.
    case ErrNotAllowed:
       // We don't have the permission to create this key.
    default:
       // Something else when wrong.
}

var (
	ErrKeyNotFound Error = NewError(http.StatusNotFound, "key does not exist")
	ErrKeyExists   Error = NewError(http.StatusBadRequest, "key does already exist")
	ErrNotAllowed  Error = NewError(http.StatusForbidden, "prohibited by policy")
)

func NewError ¶

func NewError(code int, msg string) Error

NewError returns a new Error with the given HTTP status code and error message.

Two errors with the same status code and error message are equal.

func (Error) Error ¶ added in v0.6.0

func (e Error) Error() string

func (Error) Status ¶ added in v0.6.0

func (e Error) Status() int

Status returns the HTTP status code of the error.

type Identity ¶

type Identity string

An Identity should uniquely identify a client and is computed from the X.509 certificate presented by the client during the TLS handshake using an IdentityFunc.

const IdentityUnknown Identity = ""

IdentityUnknown is the identity returned by an IdentityFunc if it cannot map a particular X.509 certificate to an actual identity.

func (Identity) IsUnknown ¶

func (id Identity) IsUnknown() bool

IsUnknown returns true if and only if the identity is IdentityUnknown.

func (Identity) String ¶

func (id Identity) String() string

String returns the string representation of the identity.

type Policy ¶

type Policy struct {
	// contains filtered or unexported fields
}

func NewPolicy ¶

func NewPolicy(patterns ...string) (*Policy, error)

func (Policy) MarshalJSON ¶

func (p Policy) MarshalJSON() ([]byte, error)

func (Policy) MarshalTOML ¶

func (p Policy) MarshalTOML() ([]byte, error)

func (*Policy) String ¶

func (p *Policy) String() string

func (*Policy) UnmarshalJSON ¶

func (p *Policy) UnmarshalJSON(b []byte) error

func (*Policy) UnmarshalTOML ¶

func (p *Policy) UnmarshalTOML(b []byte) error

func (*Policy) Verify ¶

func (p *Policy) Verify(r *http.Request) error

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
kes
internal
auth
aws
cache Package cache implements an in-memory cache for secret keys.	Package cache implements an in-memory cache for secret keys.
fs Package fs implements a secret key store that stores secret keys as files on the file system.	Package fs implements a secret key store that stores secret keys as files on the file system.
http
log
mem Package mem implements an in-memory secret key store.	Package mem implements an in-memory secret key store.
secret
vault Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.	Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL