vault

package
Version: v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 16, 2017 License: MPL-2.0 Imports: 77 Imported by: 0

Documentation

Overview

Package vault is a generated protocol buffer package.

It is generated from these files:

request_forwarding_service.proto

It has these top-level messages:

Index

Constants

View Source
const (
	AESGCMVersion1 = 0x1
	AESGCMVersion2 = 0x2
)

Versions of the AESGCM storage methodology

View Source
const (
	DenyCapability   = "deny"
	CreateCapability = "create"
	ReadCapability   = "read"
	UpdateCapability = "update"
	DeleteCapability = "delete"
	ListCapability   = "list"
	SudoCapability   = "sudo"
	RootCapability   = "root"

	// Backwards compatibility
	OldDenyPathPolicy  = "deny"
	OldReadPathPolicy  = "read"
	OldWritePathPolicy = "write"
	OldSudoPathPolicy  = "sudo"
)
View Source
const (
	DenyCapabilityInt uint32 = 1 << iota
	CreateCapabilityInt
	ReadCapabilityInt
	UpdateCapabilityInt
	DeleteCapabilityInt
	ListCapabilityInt
	SudoCapabilityInt
)
View Source
const (
	TestClusterCACert = `` /* 1183-byte string literal not displayed */

	TestClusterCAKey = `` /* 1674-byte string literal not displayed */

	TestClusterServerCert = `` /* 1349-byte string literal not displayed */

	TestClusterServerKey = `` /* 1678-byte string literal not displayed */

)
View Source
const (

	// Internal so as not to log a trace message
	IntNoForwardingHeaderName = "X-Vault-Internal-No-Request-Forwarding"
)

Variables

View Source
var (
	// ErrBarrierSealed is returned if an operation is performed on
	// a sealed barrier. No operation is expected to succeed before unsealing
	ErrBarrierSealed = errors.New("Vault is sealed")

	// ErrBarrierAlreadyInit is returned if the barrier is already
	// initialized. This prevents a re-initialization.
	ErrBarrierAlreadyInit = errors.New("Vault is already initialized")

	// ErrBarrierNotInit is returned if a non-initialized barrier
	// is attempted to be unsealed.
	ErrBarrierNotInit = errors.New("Vault is not initialized")

	// ErrBarrierInvalidKey is returned if the Unseal key is invalid
	ErrBarrierInvalidKey = errors.New("Unseal failed, invalid key")
)
View Source
var (
	// ErrAlreadyInit is returned if the core is already
	// initialized. This prevents a re-initialization.
	ErrAlreadyInit = errors.New("Vault is already initialized")

	// ErrNotInit is returned if a non-initialized barrier
	// is attempted to be unsealed.
	ErrNotInit = errors.New("Vault is not initialized")

	// ErrInternalError is returned when we don't want to leak
	// any information about an internal error
	ErrInternalError = errors.New("internal error")

	// ErrHANotEnabled is returned if the operation only makes sense
	// in an HA setting
	ErrHANotEnabled = errors.New("Vault is not configured for highly-available mode")

	LastRemoteWAL = lastRemoteWALImpl
)
View Source
var (
	TestCoreUnsealedWithConfigs = testCoreUnsealedWithConfigs
	TestSealDefConfigs          = testSealDefConfigs
)
View Source
var (
	ErrCannotForward = errors.New("cannot forward request; no connection or address not known")
)

Functions

func AddTestLogicalBackend added in v0.3.0

func AddTestLogicalBackend(name string, factory logical.Factory) error

This adds a logical backend for the test core. This needs to be invoked before the test core is created.

func CubbyholeBackendFactory added in v0.3.0

func CubbyholeBackendFactory(conf *logical.BackendConfig) (logical.Backend, error)

CubbyholeBackendFactory constructs a new cubbyhole backend

func GenerateRandBytes added in v0.5.0

func GenerateRandBytes(length int) ([]byte, error)

func LeaseSwitchedPassthroughBackend added in v0.3.0

func LeaseSwitchedPassthroughBackend(conf *logical.BackendConfig, leases bool) (logical.Backend, error)

LeaseSwitchedPassthroughBackendFactory returns a PassthroughBackend with leases switched on or off

func LeasedPassthroughBackendFactory added in v0.3.0

func LeasedPassthroughBackendFactory(conf *logical.BackendConfig) (logical.Backend, error)

PassthroughBackendWithLeasesFactory returns a PassthroughBackend with leases switched on

func NewSystemBackend

func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backend, error)

func PassthroughBackendFactory

func PassthroughBackendFactory(conf *logical.BackendConfig) (logical.Backend, error)

PassthroughBackendFactory returns a PassthroughBackend with leases switched off

func RegisterRequestForwardingServer added in v0.6.1

func RegisterRequestForwardingServer(s *grpc.Server, srv RequestForwardingServer)

func StartSSHHostTestServer added in v0.3.0

func StartSSHHostTestServer() (string, error)

Starts the test server which responds to SSH authentication. Used to test the SSH secret backend.

func TestCoreInit

func TestCoreInit(t testing.TB, core *Core) ([][]byte, string)

TestCoreInit initializes the core with a single key, and returns the key that must be used to unseal the core and a root token.

func TestCoreInitClusterWrapperSetup added in v0.6.1

func TestCoreInitClusterWrapperSetup(t testing.TB, core *Core, clusterAddrs []*net.TCPAddr, handlerSetupFunc func() (http.Handler, http.Handler)) ([][]byte, string)

func TestCoreUnseal added in v0.6.1

func TestCoreUnseal(core *Core, key []byte) (bool, error)

func TestCoreWithBackendTokenStore added in v0.7.0

func TestCoreWithBackendTokenStore(t testing.TB, backend physical.Backend) (*Core, *TokenStore, [][]byte, string)

TestCoreWithBackendTokenStore returns a core that has a token store mounted and used the provided physical backend, so that logical token functions can be used

func TestCoreWithTokenStore added in v0.5.0

func TestCoreWithTokenStore(t testing.TB) (*Core, *TokenStore, [][]byte, string)

TestCoreWithTokenStore returns an in-memory core that has a token store mounted, so that logical token functions can be used

func TestKeyCopy

func TestKeyCopy(key []byte) []byte

TestKeyCopy is a silly little function to just copy the key so that it can be used with Unseal easily.

func TestWaitActive added in v0.6.1

func TestWaitActive(t testing.TB, core *Core)

func WrapHandlerForClustering added in v0.6.1

func WrapHandlerForClustering(handler http.Handler, logger log.Logger) func() (http.Handler, http.Handler)

WrapHandlerForClustering takes in Vault's HTTP handler and returns a setup function that returns both the original handler and one wrapped with cluster methods

Types

type ACL

type ACL struct {
	// contains filtered or unexported fields
}

ACL is used to wrap a set of policies to provide an efficient interface for access control.

func NewACL

func NewACL(policies []*Policy) (*ACL, error)

New is used to construct a policy based ACL from a set of policies.

func (*ACL) AllowOperation

func (a *ACL) AllowOperation(req *logical.Request) (bool, bool)

AllowOperation is used to check if the given operation is permitted. The first bool indicates if an op is allowed, the second whether sudo priviliges exist for that op and path.

func (*ACL) Capabilities added in v0.5.2

func (a *ACL) Capabilities(path string) (pathCapabilities []string)

type AESGCMBarrier

type AESGCMBarrier struct {
	// contains filtered or unexported fields
}

AESGCMBarrier is a SecurityBarrier implementation that uses the AES cipher core and the Galois Counter Mode block mode. It defaults to the golang NONCE default value of 12 and a key size of 256 bit. AES-GCM is high performance, and provides both confidentiality and integrity.

func NewAESGCMBarrier

func NewAESGCMBarrier(physical physical.Backend) (*AESGCMBarrier, error)

NewAESGCMBarrier is used to construct a new barrier that uses the provided physical backend for storage.

func (*AESGCMBarrier) ActiveKeyInfo added in v0.2.0

func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error)

ActiveKeyInfo is used to inform details about the active key

func (*AESGCMBarrier) CheckUpgrade added in v0.2.0

func (b *AESGCMBarrier) CheckUpgrade() (bool, uint32, error)

CheckUpgrade looks for an upgrade to the current term and installs it

func (*AESGCMBarrier) CreateUpgrade added in v0.2.0

func (b *AESGCMBarrier) CreateUpgrade(term uint32) error

CreateUpgrade creates an upgrade path key to the given term from the previous term

func (*AESGCMBarrier) Decrypt added in v0.7.0

func (b *AESGCMBarrier) Decrypt(key string, ciphertext []byte) ([]byte, error)

Decrypt is used to decrypt in-memory for the BarrierEncryptor interface

func (*AESGCMBarrier) Delete

func (b *AESGCMBarrier) Delete(key string) error

Delete is used to permanently delete an entry

func (*AESGCMBarrier) DestroyUpgrade added in v0.2.0

func (b *AESGCMBarrier) DestroyUpgrade(term uint32) error

DestroyUpgrade destroys the upgrade path key to the given term

func (*AESGCMBarrier) Encrypt added in v0.7.0

func (b *AESGCMBarrier) Encrypt(key string, plaintext []byte) ([]byte, error)

Encrypt is used to encrypt in-memory for the BarrierEncryptor interface

func (*AESGCMBarrier) GenerateKey

func (b *AESGCMBarrier) GenerateKey() ([]byte, error)

GenerateKey is used to generate a new key

func (*AESGCMBarrier) Get

func (b *AESGCMBarrier) Get(key string) (*Entry, error)

Get is used to fetch an entry

func (*AESGCMBarrier) Initialize

func (b *AESGCMBarrier) Initialize(key []byte) error

Initialize works only if the barrier has not been initialized and makes use of the given master key.

func (*AESGCMBarrier) Initialized

func (b *AESGCMBarrier) Initialized() (bool, error)

Initialized checks if the barrier has been initialized and has a master key set.

func (*AESGCMBarrier) KeyLength

func (b *AESGCMBarrier) KeyLength() (int, int)

KeyLength is used to sanity check a key

func (*AESGCMBarrier) Keyring added in v0.7.0

func (b *AESGCMBarrier) Keyring() (*Keyring, error)

func (*AESGCMBarrier) List

func (b *AESGCMBarrier) List(prefix string) ([]string, error)

List is used ot list all the keys under a given prefix, up to the next prefix.

func (*AESGCMBarrier) Put

func (b *AESGCMBarrier) Put(entry *Entry) error

Put is used to insert or update an entry

func (*AESGCMBarrier) Rekey added in v0.2.0

func (b *AESGCMBarrier) Rekey(key []byte) error

Rekey is used to change the master key used to protect the keyring

func (*AESGCMBarrier) ReloadKeyring added in v0.2.0

func (b *AESGCMBarrier) ReloadKeyring() error

ReloadKeyring is used to re-read the underlying keyring. This is used for HA deployments to ensure the latest keyring is present in the leader.

func (*AESGCMBarrier) ReloadMasterKey added in v0.2.0

func (b *AESGCMBarrier) ReloadMasterKey() error

ReloadMasterKey is used to re-read the underlying masterkey. This is used for HA deployments to ensure the latest master key is available for keyring reloading.

func (*AESGCMBarrier) Rotate added in v0.2.0

func (b *AESGCMBarrier) Rotate() (uint32, error)

Rotate is used to create a new encryption key. All future writes should use the new key, while old values should still be decryptable.

func (*AESGCMBarrier) Seal

func (b *AESGCMBarrier) Seal() error

Seal is used to re-seal the barrier. This requires the barrier to be unsealed again to perform any further operations.

func (*AESGCMBarrier) Sealed

func (b *AESGCMBarrier) Sealed() (bool, error)

Sealed checks if the barrier has been unlocked yet. The Barrier is not expected to be able to perform any CRUD until it is unsealed.

func (*AESGCMBarrier) SetMasterKey added in v0.7.0

func (b *AESGCMBarrier) SetMasterKey(key []byte) error

SetMasterKey updates the keyring's in-memory master key but does not persist anything to storage

func (*AESGCMBarrier) Unseal

func (b *AESGCMBarrier) Unseal(key []byte) error

Unseal is used to provide the master key which permits the barrier to be unsealed. If the key is not correct, the barrier remains sealed.

func (*AESGCMBarrier) VerifyMaster added in v0.2.0

func (b *AESGCMBarrier) VerifyMaster(key []byte) error

VerifyMaster is used to check if the given key matches the master key

type AuditBroker

type AuditBroker struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

AuditBroker is used to provide a single ingest interface to auditable events given that multiple backends may be configured.

func NewAuditBroker

func NewAuditBroker(log log.Logger) *AuditBroker

NewAuditBroker creates a new audit broker

func (*AuditBroker) Deregister

func (a *AuditBroker) Deregister(name string)

Deregister is used to remove an audit backend from the broker

func (*AuditBroker) GetHash added in v0.4.0

func (a *AuditBroker) GetHash(name string, input string) (string, error)

GetHash returns a hash using the salt of the given backend

func (*AuditBroker) IsRegistered

func (a *AuditBroker) IsRegistered(name string) bool

IsRegistered is used to check if a given audit backend is registered

func (*AuditBroker) LogRequest

func (a *AuditBroker) LogRequest(auth *logical.Auth, req *logical.Request, headersConfig *AuditedHeadersConfig, outerErr error) (retErr error)

LogRequest is used to ensure all the audit backends have an opportunity to log the given request and that *at least one* succeeds.

func (*AuditBroker) LogResponse

func (a *AuditBroker) LogResponse(auth *logical.Auth, req *logical.Request,
	resp *logical.Response, headersConfig *AuditedHeadersConfig, err error) (reterr error)

LogResponse is used to ensure all the audit backends have an opportunity to log the given response and that *at least one* succeeds.

func (*AuditBroker) Register

func (a *AuditBroker) Register(name string, b audit.Backend, v *BarrierView)

Register is used to add new audit backend to the broker

type AuditedHeadersConfig added in v0.6.5

type AuditedHeadersConfig struct {
	Headers map[string]*auditedHeaderSettings

	sync.RWMutex
	// contains filtered or unexported fields
}

AuditedHeadersConfig is used by the Audit Broker to write only approved headers to the audit logs. It uses a BarrierView to persist the settings.

func (*AuditedHeadersConfig) ApplyConfig added in v0.6.5

func (a *AuditedHeadersConfig) ApplyConfig(headers map[string][]string, hashFunc func(string) string) (result map[string][]string)

ApplyConfig returns a map of approved headers and their values, either hmac'ed or plaintext

type BarrierEncryptor added in v0.7.0

type BarrierEncryptor interface {
	Encrypt(key string, plaintext []byte) ([]byte, error)
	Decrypt(key string, ciphertext []byte) ([]byte, error)
}

BarrierEncryptor is the in memory only interface that does not actually use the underlying barrier. It is used for lower level modules like the Write-Ahead-Log and Merkle index to allow them to use the barrier.

type BarrierStorage

type BarrierStorage interface {
	// Put is used to insert or update an entry
	Put(entry *Entry) error

	// Get is used to fetch an entry
	Get(key string) (*Entry, error)

	// Delete is used to permanently delete an entry
	Delete(key string) error

	// List is used ot list all the keys under a given
	// prefix, up to the next prefix.
	List(prefix string) ([]string, error)
}

BarrierStorage is the storage only interface required for a Barrier.

type BarrierView

type BarrierView struct {
	// contains filtered or unexported fields
}

BarrierView wraps a SecurityBarrier and ensures all access is automatically prefixed. This is used to prevent anyone with access to the view to access any data in the durable storage outside of their prefix. Conceptually this is like a "chroot" into the barrier.

BarrierView implements logical.Storage so it can be passed in as the durable storage mechanism for logical views.

func NewBarrierView

func NewBarrierView(barrier BarrierStorage, prefix string) *BarrierView

NewBarrierView takes an underlying security barrier and returns a view of it that can only operate with the given prefix.

func (*BarrierView) Delete

func (v *BarrierView) Delete(key string) error

logical.Storage impl.

func (*BarrierView) Get

func (v *BarrierView) Get(key string) (*logical.StorageEntry, error)

logical.Storage impl.

func (*BarrierView) List

func (v *BarrierView) List(prefix string) ([]string, error)

logical.Storage impl.

func (*BarrierView) Put

func (v *BarrierView) Put(entry *logical.StorageEntry) error

logical.Storage impl.

func (*BarrierView) SubView

func (v *BarrierView) SubView(prefix string) *BarrierView

SubView constructs a nested sub-view using the given prefix

type Cluster added in v0.6.1

type Cluster struct {
	// Name of the cluster
	Name string `json:"name" structs:"name" mapstructure:"name"`

	// Identifier of the cluster
	ID string `json:"id" structs:"id" mapstructure:"id"`
}

Structure representing the storage entry that holds cluster information

type Core

type Core struct {
	// contains filtered or unexported fields
}

Core is used as the central manager of Vault activity. It is the primary point of interface for API handlers and is responsible for managing the logical and physical backends, router, security barrier, and audit trails.

func NewCore

func NewCore(conf *CoreConfig) (*Core, error)

NewCore is used to construct a new core

func TestCore

func TestCore(t testing.TB) *Core

TestCore returns a pure in-memory, uninitialized core for testing.

func TestCoreNewSeal added in v0.6.5

func TestCoreNewSeal(t testing.TB) *Core

TestCoreNewSeal returns an in-memory, ininitialized core with the new seal configuration.

func TestCoreUnsealed

func TestCoreUnsealed(t testing.TB) (*Core, [][]byte, string)

TestCoreUnsealed returns a pure in-memory core that is already initialized and unsealed.

func TestCoreUnsealedBackend added in v0.7.0

func TestCoreUnsealedBackend(t testing.TB, backend physical.Backend) (*Core, [][]byte, string)

func TestCoreWithSeal added in v0.6.0

func TestCoreWithSeal(t testing.TB, testSeal Seal) *Core

TestCoreWithSeal returns a pure in-memory, uninitialized core with the specified seal for testing.

func (*Core) AuditedHeadersConfig added in v0.6.5

func (c *Core) AuditedHeadersConfig() *AuditedHeadersConfig

func (*Core) BarrierKeyLength added in v0.6.1

func (c *Core) BarrierKeyLength() (min, max int)

func (*Core) BarrierRekeyInit added in v0.6.0

func (c *Core) BarrierRekeyInit(config *SealConfig) error

BarrierRekeyInit is used to initialize the rekey settings for the barrier key

func (*Core) BarrierRekeyUpdate added in v0.6.0

func (c *Core) BarrierRekeyUpdate(key []byte, nonce string) (*RekeyResult, error)

BarrierRekeyUpdate is used to provide a new key part

func (*Core) Capabilities added in v0.5.2

func (c *Core) Capabilities(token, path string) ([]string, error)

Capabilities is used to fetch the capabilities of the given token on the given path

func (*Core) Cluster added in v0.6.1

func (c *Core) Cluster() (*Cluster, error)

Cluster fetches the details of the local cluster. This method errors out when Vault is sealed.

func (*Core) ClusterTLSConfig added in v0.6.1

func (c *Core) ClusterTLSConfig() (*tls.Config, error)

ClusterTLSConfig generates a TLS configuration based on the local/replicated cluster key and cert.

func (*Core) ForwardRequest added in v0.6.1

func (c *Core) ForwardRequest(req *http.Request) (int, http.Header, []byte, error)

ForwardRequest forwards a given request to the active node and returns the response.

func (*Core) GenerateRootCancel added in v0.5.0

func (c *Core) GenerateRootCancel() error

GenerateRootCancel is used to cancel an in-progress root generation

func (*Core) GenerateRootConfiguration added in v0.5.0

func (c *Core) GenerateRootConfiguration() (*GenerateRootConfig, error)

GenerateRootConfig is used to read the root generation configuration It stubbornly refuses to return the OTP if one is there.

func (*Core) GenerateRootInit added in v0.5.0

func (c *Core) GenerateRootInit(otp, pgpKey string) error

GenerateRootInit is used to initialize the root generation settings

func (*Core) GenerateRootProgress added in v0.5.0

func (c *Core) GenerateRootProgress() (int, error)

GenerateRoot is used to return the root generation progress (num shares)

func (*Core) GenerateRootUpdate added in v0.5.0

func (c *Core) GenerateRootUpdate(key []byte, nonce string) (*GenerateRootResult, error)

GenerateRootUpdate is used to provide a new key part

func (*Core) HandleRequest

func (c *Core) HandleRequest(req *logical.Request) (resp *logical.Response, err error)

HandleRequest is used to handle a new incoming request

func (*Core) Initialize

func (c *Core) Initialize(initParams *InitParams) (*InitResult, error)

Initialize is used to initialize the Vault with the given configurations.

func (*Core) Initialized

func (c *Core) Initialized() (bool, error)

Initialized checks if the Vault is already initialized

func (*Core) Leader

func (c *Core) Leader() (isLeader bool, leaderAddr string, err error)

Leader is used to get the current active leader

func (*Core) Logger added in v0.6.1

func (c *Core) Logger() log.Logger

func (*Core) LookupToken added in v0.6.3

func (c *Core) LookupToken(token string) (*TokenEntry, error)

LookupToken returns the properties of the token from the token store. This is particularly useful to fetch the accessor of the client token and get it populated in the logical request along with the client token. The accessor of the client token can get audit logged.

func (*Core) RecoveryRekeyInit added in v0.6.0

func (c *Core) RecoveryRekeyInit(config *SealConfig) error

RecoveryRekeyInit is used to initialize the rekey settings for the recovery key

func (*Core) RecoveryRekeyUpdate added in v0.6.0

func (c *Core) RecoveryRekeyUpdate(key []byte, nonce string) (*RekeyResult, error)

RecoveryRekeyUpdate is used to provide a new key part

func (*Core) RekeyCancel added in v0.2.0

func (c *Core) RekeyCancel(recovery bool) error

RekeyCancel is used to cancel an inprogress rekey

func (*Core) RekeyConfig added in v0.2.0

func (c *Core) RekeyConfig(recovery bool) (*SealConfig, error)

RekeyConfig is used to read the rekey configuration

func (*Core) RekeyDeleteBackup added in v0.5.0

func (c *Core) RekeyDeleteBackup(recovery bool) error

RekeyDeleteBackup is used to delete any backed-up PGP-encrypted unseal keys

func (*Core) RekeyInit added in v0.2.0

func (c *Core) RekeyInit(config *SealConfig, recovery bool) error

func (*Core) RekeyProgress added in v0.2.0

func (c *Core) RekeyProgress(recovery bool) (int, error)

RekeyProgress is used to return the rekey progress (num shares)

func (*Core) RekeyRetrieveBackup added in v0.5.0

func (c *Core) RekeyRetrieveBackup(recovery bool) (*RekeyBackup, error)

RekeyRetrieveBackup is used to retrieve any backed-up PGP-encrypted unseal keys

func (*Core) RekeyThreshold added in v0.6.0

func (c *Core) RekeyThreshold(recovery bool) (int, error)

func (*Core) RekeyUpdate added in v0.2.0

func (c *Core) RekeyUpdate(key []byte, nonce string, recovery bool) (*RekeyResult, error)

func (*Core) ReplicationState added in v0.7.0

func (c *Core) ReplicationState() consts.ReplicationState

func (*Core) ResetUnsealProcess added in v0.4.0

func (c *Core) ResetUnsealProcess()

ResetUnsealProcess removes the current unlock parts from memory, to reset the unsealing process

func (*Core) Seal

func (c *Core) Seal(token string) error

Seal takes in a token and creates a logical.Request, acquires the lock, and passes through to sealInternal

func (*Core) SealAccess added in v0.6.0

func (c *Core) SealAccess() *SealAccess

func (*Core) SealWithRequest added in v0.6.0

func (c *Core) SealWithRequest(req *logical.Request) error

SealWithRequest takes in a logical.Request, acquires the lock, and passes through to sealInternal

func (*Core) Sealed

func (c *Core) Sealed() (bool, error)

Sealed checks if the Vault is current sealed

func (*Core) SecretProgress

func (c *Core) SecretProgress() (int, string)

SecretProgress returns the number of keys provided so far

func (*Core) SetClusterListenerAddrs added in v0.6.1

func (c *Core) SetClusterListenerAddrs(addrs []*net.TCPAddr)

func (*Core) SetClusterSetupFuncs added in v0.6.1

func (c *Core) SetClusterSetupFuncs(handler func() (http.Handler, http.Handler))

SetClusterSetupFuncs sets the handler setup func

func (*Core) Shutdown added in v0.2.0

func (c *Core) Shutdown() error

Shutdown is invoked when the Vault instance is about to be terminated. It should not be accessible as part of an API call as it will cause an availability problem. It is only used to gracefully quit in the case of HA so that failover happens as quickly as possible.

func (*Core) Standby

func (c *Core) Standby() (bool, error)

Standby checks if the Vault is in standby mode

func (*Core) StepDown added in v0.5.2

func (c *Core) StepDown(req *logical.Request) (retErr error)

StepDown is used to step down from leadership

func (*Core) Unseal

func (c *Core) Unseal(key []byte) (bool, error)

Unseal is used to provide one of the key parts to unseal the Vault.

They key given as a parameter will automatically be zerod after this method is done with it. If you want to keep the key around, a copy should be made.

func (*Core) UnsealWithStoredKeys added in v0.6.0

func (c *Core) UnsealWithStoredKeys() error

func (*Core) ValidateWrappingToken added in v0.6.2

func (c *Core) ValidateWrappingToken(req *logical.Request) (bool, error)

type CoreConfig

type CoreConfig struct {
	DevToken string `json:"dev_token" structs:"dev_token" mapstructure:"dev_token"`

	LogicalBackends map[string]logical.Factory `json:"logical_backends" structs:"logical_backends" mapstructure:"logical_backends"`

	CredentialBackends map[string]logical.Factory `json:"credential_backends" structs:"credential_backends" mapstructure:"credential_backends"`

	AuditBackends map[string]audit.Factory `json:"audit_backends" structs:"audit_backends" mapstructure:"audit_backends"`

	Physical physical.Backend `json:"physical" structs:"physical" mapstructure:"physical"`

	// May be nil, which disables HA operations
	HAPhysical physical.HABackend `json:"ha_physical" structs:"ha_physical" mapstructure:"ha_physical"`

	Seal Seal `json:"seal" structs:"seal" mapstructure:"seal"`

	Logger log.Logger `json:"logger" structs:"logger" mapstructure:"logger"`

	// Disables the LRU cache on the physical backend
	DisableCache bool `json:"disable_cache" structs:"disable_cache" mapstructure:"disable_cache"`

	// Disables mlock syscall
	DisableMlock bool `json:"disable_mlock" structs:"disable_mlock" mapstructure:"disable_mlock"`

	// Custom cache size for the LRU cache on the physical backend, or zero for default
	CacheSize int `json:"cache_size" structs:"cache_size" mapstructure:"cache_size"`

	// Set as the leader address for HA
	RedirectAddr string `json:"redirect_addr" structs:"redirect_addr" mapstructure:"redirect_addr"`

	// Set as the cluster address for HA
	ClusterAddr string `json:"cluster_addr" structs:"cluster_addr" mapstructure:"cluster_addr"`

	DefaultLeaseTTL time.Duration `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`

	MaxLeaseTTL time.Duration `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`

	ClusterName string `json:"cluster_name" structs:"cluster_name" mapstructure:"cluster_name"`

	EnableUI bool `json:"ui" structs:"ui" mapstructure:"ui"`

	ReloadFuncs     *map[string][]ReloadFunc
	ReloadFuncsLock *sync.RWMutex
}

CoreConfig is used to parameterize a core

type CubbyholeBackend added in v0.3.0

type CubbyholeBackend struct {
	*framework.Backend
	// contains filtered or unexported fields
}

CubbyholeBackend is used for storing secrets directly into the physical backend. The secrets are encrypted in the durable storage. This differs from generic in that every token has its own private storage view. The view is removed when the token expires.

type DefaultSeal added in v0.6.0

type DefaultSeal struct {
	// contains filtered or unexported fields
}

func (*DefaultSeal) BarrierConfig added in v0.6.0

func (d *DefaultSeal) BarrierConfig() (*SealConfig, error)

func (*DefaultSeal) BarrierType added in v0.6.0

func (d *DefaultSeal) BarrierType() string

func (*DefaultSeal) Finalize added in v0.6.0

func (d *DefaultSeal) Finalize() error

func (*DefaultSeal) GetStoredKeys added in v0.6.0

func (d *DefaultSeal) GetStoredKeys() ([][]byte, error)

func (*DefaultSeal) Init added in v0.6.0

func (d *DefaultSeal) Init() error

func (*DefaultSeal) RecoveryConfig added in v0.6.0

func (d *DefaultSeal) RecoveryConfig() (*SealConfig, error)

func (*DefaultSeal) RecoveryKeySupported added in v0.6.0

func (d *DefaultSeal) RecoveryKeySupported() bool

func (*DefaultSeal) RecoveryType added in v0.6.0

func (d *DefaultSeal) RecoveryType() string

func (*DefaultSeal) SetBarrierConfig added in v0.6.0

func (d *DefaultSeal) SetBarrierConfig(config *SealConfig) error

func (*DefaultSeal) SetCore added in v0.6.0

func (d *DefaultSeal) SetCore(core *Core)

func (*DefaultSeal) SetRecoveryConfig added in v0.6.0

func (d *DefaultSeal) SetRecoveryConfig(config *SealConfig) error

func (*DefaultSeal) SetRecoveryKey added in v0.6.0

func (d *DefaultSeal) SetRecoveryKey(key []byte) error

func (*DefaultSeal) SetStoredKeys added in v0.6.0

func (d *DefaultSeal) SetStoredKeys(keys [][]byte) error

func (*DefaultSeal) StoredKeysSupported added in v0.6.0

func (d *DefaultSeal) StoredKeysSupported() bool

func (*DefaultSeal) VerifyRecoveryKey added in v0.6.0

func (d *DefaultSeal) VerifyRecoveryKey([]byte) error

type EncodedKeyring added in v0.2.0

type EncodedKeyring struct {
	MasterKey []byte
	Keys      []*Key
}

EncodedKeyring is used for serialization of the keyring

type Entry

type Entry struct {
	Key   string
	Value []byte
}

Entry is used to represent data stored by the security barrier

func (*Entry) Logical

func (e *Entry) Logical() *logical.StorageEntry

Logical turns the Entry into a logical storage entry.

type ErrInvalidKey

type ErrInvalidKey struct {
	Reason string
}

ErrInvalidKey is returned if there is a user-based error with a provided unseal key. This will be shown to the user, so should not contain information that is sensitive.

func (*ErrInvalidKey) Error

func (e *ErrInvalidKey) Error() string

type ExpirationManager

type ExpirationManager struct {
	// contains filtered or unexported fields
}

ExpirationManager is used by the Core to manage leases. Secrets can provide a lease, meaning that they can be renewed or revoked. If a secret is not renewed in timely manner, it may be expired, and the ExpirationManager will handle doing automatic revocation.

func NewExpirationManager

func NewExpirationManager(router *Router, view *BarrierView, ts *TokenStore, logger log.Logger) *ExpirationManager

NewExpirationManager creates a new ExpirationManager that is backed using a given view, and uses the provided router for revocation.

func (*ExpirationManager) FetchLeaseTimes added in v0.5.0

func (m *ExpirationManager) FetchLeaseTimes(leaseID string) (*leaseEntry, error)

FetchLeaseTimes is used to fetch the issue time, expiration time, and last renewed time of a lease entry. It returns a leaseEntry itself, but with only those values copied over.

func (*ExpirationManager) FetchLeaseTimesByToken added in v0.5.0

func (m *ExpirationManager) FetchLeaseTimesByToken(source, token string) (*leaseEntry, error)

FetchLeaseTimesByToken is a helper function to use token values to compute the leaseID, rather than pushing that logic back into the token store.

func (*ExpirationManager) Register

func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Response) (string, error)

Register is used to take a request and response with an associated lease. The secret gets assigned a LeaseID and the management of of lease is assumed by the expiration manager.

func (*ExpirationManager) RegisterAuth

func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) error

RegisterAuth is used to take an Auth response with an associated lease. The token does not get a LeaseID, but the lease management is handled by the expiration manager.

func (*ExpirationManager) Renew

func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*logical.Response, error)

Renew is used to renew a secret using the given leaseID and a renew interval. The increment may be ignored.

func (*ExpirationManager) RenewToken

func (m *ExpirationManager) RenewToken(req *logical.Request, source string, token string,
	increment time.Duration) (*logical.Response, error)

RenewToken is used to renew a token which does not need to invoke a logical backend.

func (*ExpirationManager) Restore

func (m *ExpirationManager) Restore() error

Restore is used to recover the lease states when starting. This is used after starting the vault.

func (*ExpirationManager) Revoke

func (m *ExpirationManager) Revoke(leaseID string) error

Revoke is used to revoke a secret named by the given LeaseID

func (*ExpirationManager) RevokeByToken

func (m *ExpirationManager) RevokeByToken(te *TokenEntry) error

RevokeByToken is used to revoke all the secrets issued with a given token. This is done by using the secondary index. It also removes the lease entry for the token itself. As a result it should *ONLY* ever be called from the token store's revokeSalted function.

func (*ExpirationManager) RevokeForce added in v0.5.2

func (m *ExpirationManager) RevokeForce(prefix string) error

RevokeForce works similarly to RevokePrefix but continues in the case of a revocation error; this is mostly meant for recovery operations

func (*ExpirationManager) RevokePrefix

func (m *ExpirationManager) RevokePrefix(prefix string) error

RevokePrefix is used to revoke all secrets with a given prefix. The prefix maps to that of the mount table to make this simpler to reason about.

func (*ExpirationManager) Stop

func (m *ExpirationManager) Stop() error

Stop is used to prevent further automatic revocations. This must be called before sealing the view.

type GenerateRootConfig added in v0.5.0

type GenerateRootConfig struct {
	Nonce          string
	PGPKey         string
	PGPFingerprint string
	OTP            string
}

GenerateRootConfig holds the configuration for a root generation command.

type GenerateRootResult added in v0.5.0

type GenerateRootResult struct {
	Progress         int
	Required         int
	EncodedRootToken string
	PGPFingerprint   string
}

GenerateRootResult holds the result of a root generation update command

type InitParams added in v0.6.2

type InitParams struct {
	BarrierConfig   *SealConfig
	RecoveryConfig  *SealConfig
	RootTokenPGPKey string
}

InitParams keeps the init function from being littered with too many params, that's it!

type InitResult

type InitResult struct {
	SecretShares   [][]byte
	RecoveryShares [][]byte
	RootToken      string
}

InitResult is used to provide the key parts back after they are generated as part of the initialization.

type Key added in v0.2.0

type Key struct {
	Term        uint32
	Version     int
	Value       []byte
	InstallTime time.Time
}

Key represents a single term, along with the key used.

func DeserializeKey added in v0.2.0

func DeserializeKey(buf []byte) (*Key, error)

DeserializeKey is used to deserialize and return a new key

func (*Key) Serialize added in v0.2.0

func (k *Key) Serialize() ([]byte, error)

Serialize is used to create a byte encoded key

type KeyInfo added in v0.2.0

type KeyInfo struct {
	Term        int
	InstallTime time.Time
}

KeyInfo is used to convey information about the encryption key

type KeyNotFoundError added in v0.6.3

type KeyNotFoundError struct {
	Err error
}

func (*KeyNotFoundError) Error added in v0.6.3

func (e *KeyNotFoundError) Error() string

func (*KeyNotFoundError) WrappedErrors added in v0.6.3

func (e *KeyNotFoundError) WrappedErrors() []error

type Keyring added in v0.2.0

type Keyring struct {
	// contains filtered or unexported fields
}

Keyring is used to manage multiple encryption keys used by the barrier. New keys can be installed and each has a sequential term. The term used to encrypt a key is prefixed to the key written out. All data is encrypted with the latest key, but storing the old keys allows for decryption of keys written previously. Along with the encryption keys, the keyring also tracks the master key. This is necessary so that when a new key is added to the keyring, we can encrypt with the master key and write out the new keyring.

func DeserializeKeyring added in v0.2.0

func DeserializeKeyring(buf []byte) (*Keyring, error)

DeserializeKeyring is used to deserialize and return a new keyring

func NewKeyring added in v0.2.0

func NewKeyring() *Keyring

NewKeyring creates a new keyring

func (*Keyring) ActiveKey added in v0.2.0

func (k *Keyring) ActiveKey() *Key

ActiveKey returns the active encryption key, or nil

func (*Keyring) ActiveTerm added in v0.2.0

func (k *Keyring) ActiveTerm() uint32

ActiveTerm returns the currently active term

func (*Keyring) AddKey added in v0.2.0

func (k *Keyring) AddKey(key *Key) (*Keyring, error)

AddKey adds a new key to the keyring

func (*Keyring) Clone added in v0.2.0

func (k *Keyring) Clone() *Keyring

Clone returns a new copy of the keyring

func (*Keyring) MasterKey added in v0.2.0

func (k *Keyring) MasterKey() []byte

MasterKey returns the master key

func (*Keyring) RemoveKey added in v0.2.0

func (k *Keyring) RemoveKey(term uint32) (*Keyring, error)

RemoveKey removes a key from the keyring

func (*Keyring) Serialize added in v0.2.0

func (k *Keyring) Serialize() ([]byte, error)

Serialize is used to create a byte encoded keyring

func (*Keyring) SetMasterKey added in v0.2.0

func (k *Keyring) SetMasterKey(val []byte) *Keyring

SetMasterKey is used to update the master key

func (*Keyring) TermKey added in v0.2.0

func (k *Keyring) TermKey(term uint32) *Key

TermKey returns the key for the given term, or nil

func (*Keyring) Zeroize added in v0.6.0

func (k *Keyring) Zeroize(keysToo bool)

N.B.: Since Go 1.5 these are not reliable; see the documentation around the memzero function. These are best-effort.

type MountConfig added in v0.3.0

type MountConfig struct {
	DefaultLeaseTTL time.Duration `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` // Override for global default
	MaxLeaseTTL     time.Duration `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`             // Override for global default
	ForceNoCache    bool          `json:"force_no_cache" structs:"force_no_cache" mapstructure:"force_no_cache"`          // Override for global default
}

MountConfig is used to hold settable options

type MountEntry

type MountEntry struct {
	Table       string            `json:"table"`             // The table it belongs to
	Path        string            `json:"path"`              // Mount Path
	Type        string            `json:"type"`              // Logical backend Type
	Description string            `json:"description"`       // User-provided description
	UUID        string            `json:"uuid"`              // Barrier view UUID
	Config      MountConfig       `json:"config"`            // Configuration related to this mount (but not backend-derived)
	Options     map[string]string `json:"options"`           // Backend options
	Local       bool              `json:"local"`             // Local mounts are not replicated or affected by replication
	Tainted     bool              `json:"tainted,omitempty"` // Set as a Write-Ahead flag for unmount/remount
}

MountEntry is used to represent a mount table entry

func (*MountEntry) Clone

func (e *MountEntry) Clone() *MountEntry

Returns a deep copy of the mount entry

type MountTable

type MountTable struct {
	Type    string        `json:"type"`
	Entries []*MountEntry `json:"entries"`
}

MountTable is used to represent the internal mount table

func (*MountTable) Hash

func (t *MountTable) Hash() ([]byte, error)

Hash is used to generate a hash value for the mount table

type NonFatalError added in v0.6.0

type NonFatalError struct {
	Err error
}

NonFatalError is an error that can be returned during NewCore that should be displayed but not cause a program exit

func (*NonFatalError) Error added in v0.6.0

func (e *NonFatalError) Error() string

func (*NonFatalError) WrappedErrors added in v0.6.0

func (e *NonFatalError) WrappedErrors() []error

type PassthroughBackend

type PassthroughBackend struct {
	*framework.Backend
	// contains filtered or unexported fields
}

PassthroughBackend is used storing secrets directly into the physical backend. The secrets are encrypted in the durable storage and custom TTL information can be specified, but otherwise this backend doesn't do anything fancy.

func (*PassthroughBackend) GeneratesLeases added in v0.3.0

func (b *PassthroughBackend) GeneratesLeases() bool

type PathCapabilities added in v0.5.0

type PathCapabilities struct {
	Prefix       string
	Policy       string
	Permissions  *Permissions
	Glob         bool
	Capabilities []string

	// These keys are used at the top level to make the HCL nicer; we store in
	// the Permissions object though
	MinWrappingTTLHCL    interface{}              `hcl:"min_wrapping_ttl"`
	MaxWrappingTTLHCL    interface{}              `hcl:"max_wrapping_ttl"`
	AllowedParametersHCL map[string][]interface{} `hcl:"allowed_parameters"`
	DeniedParametersHCL  map[string][]interface{} `hcl:"denied_parameters"`
}

PathCapabilities represents a policy for a path in the namespace.

type Permissions added in v0.7.0

type Permissions struct {
	CapabilitiesBitmap uint32
	MinWrappingTTL     time.Duration
	MaxWrappingTTL     time.Duration
	AllowedParameters  map[string][]interface{}
	DeniedParameters   map[string][]interface{}
}

type Policy

type Policy struct {
	Name  string              `hcl:"name"`
	Paths []*PathCapabilities `hcl:"-"`
	Raw   string
}

Policy is used to represent the policy specified by an ACL configuration.

func Parse

func Parse(rules string) (*Policy, error)

Parse is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

type PolicyEntry added in v0.2.0

type PolicyEntry struct {
	Version int
	Raw     string
}

PolicyEntry is used to store a policy by name

type PolicyStore

type PolicyStore struct {
	// contains filtered or unexported fields
}

PolicyStore is used to provide durable storage of policy, and to manage ACLs associated with them.

func NewPolicyStore

func NewPolicyStore(view *BarrierView, system logical.SystemView) *PolicyStore

NewPolicyStore creates a new PolicyStore that is backed using a given view. It used used to durable store and manage named policy.

func (*PolicyStore) ACL

func (ps *PolicyStore) ACL(names ...string) (*ACL, error)

ACL is used to return an ACL which is built using the named policies.

func (*PolicyStore) DeletePolicy

func (ps *PolicyStore) DeletePolicy(name string) error

DeletePolicy is used to delete the named policy

func (*PolicyStore) GetPolicy

func (ps *PolicyStore) GetPolicy(name string) (*Policy, error)

GetPolicy is used to fetch the named policy

func (*PolicyStore) ListPolicies

func (ps *PolicyStore) ListPolicies() ([]string, error)

ListPolicies is used to list the available policies

func (*PolicyStore) SetPolicy

func (ps *PolicyStore) SetPolicy(p *Policy) error

SetPolicy is used to create or update the given policy

type RekeyBackup added in v0.5.0

type RekeyBackup struct {
	Nonce string
	Keys  map[string][]string
}

RekeyBackup stores the backup copy of PGP-encrypted keys

type RekeyResult added in v0.2.0

type RekeyResult struct {
	SecretShares    [][]byte
	PGPFingerprints []string
	Backup          bool
	RecoveryKey     bool
}

RekeyResult is used to provide the key parts back after they are generated as part of the rekey.

type ReloadFunc added in v0.6.2

type ReloadFunc func(map[string]string) error

ReloadFunc are functions that are called when a reload is requested.

type RequestForwardingClient added in v0.6.1

type RequestForwardingClient interface {
	ForwardRequest(ctx context.Context, in *forwarding.Request, opts ...grpc.CallOption) (*forwarding.Response, error)
}

func NewRequestForwardingClient added in v0.6.1

func NewRequestForwardingClient(cc *grpc.ClientConn) RequestForwardingClient

type RequestForwardingServer added in v0.6.1

type RequestForwardingServer interface {
	ForwardRequest(context.Context, *forwarding.Request) (*forwarding.Response, error)
}

type RollbackManager

type RollbackManager struct {
	// contains filtered or unexported fields
}

RollbackManager is responsible for performing rollbacks of partial secrets within logical backends.

During normal operations, it is possible for logical backends to error partially through an operation. These are called "partial secrets": they are never sent back to a user, but they do need to be cleaned up. This manager handles that by periodically (on a timer) requesting that the backends clean up.

The RollbackManager periodically initiates a logical.RollbackOperation on every mounted logical backend. It ensures that only one rollback operation is in-flight at any given time within a single seal/unseal phase.

func NewRollbackManager

func NewRollbackManager(logger log.Logger, backendsFunc func() []*MountEntry, router *Router) *RollbackManager

NewRollbackManager is used to create a new rollback manager

func (*RollbackManager) Rollback

func (m *RollbackManager) Rollback(path string) error

Rollback is used to trigger an immediate rollback of the path, or to join an existing rollback operation if in flight.

func (*RollbackManager) Start

func (m *RollbackManager) Start()

Start starts the rollback manager

func (*RollbackManager) Stop

func (m *RollbackManager) Stop()

Stop stops the running manager. This will wait for any in-flight rollbacks to complete.

type Router

type Router struct {
	// contains filtered or unexported fields
}

Router is used to do prefix based routing of a request to a logical backend

func NewRouter

func NewRouter() *Router

NewRouter returns a new router

func (*Router) LoginPath

func (r *Router) LoginPath(path string) bool

LoginPath checks if the given path is used for logins

func (*Router) MatchingBackend added in v0.3.0

func (r *Router) MatchingBackend(path string) logical.Backend

MatchingMountEntry returns the MountEntry used for a path

func (*Router) MatchingMount

func (r *Router) MatchingMount(path string) string

MatchingMount returns the mount prefix that would be used for a path

func (*Router) MatchingMountEntry added in v0.3.0

func (r *Router) MatchingMountEntry(path string) *MountEntry

MatchingMountEntry returns the MountEntry used for a path

func (*Router) MatchingStoragePrefix added in v0.6.5

func (r *Router) MatchingStoragePrefix(path string) (string, string, bool)

MatchingStoragePrefix returns the mount path matching and storage prefix matching the given path

func (*Router) MatchingStorageView added in v0.3.0

func (r *Router) MatchingStorageView(path string) *BarrierView

MatchingView returns the view used for a path

func (*Router) MatchingSystemView added in v0.3.0

func (r *Router) MatchingSystemView(path string) logical.SystemView

MatchingSystemView returns the SystemView used for a path

func (*Router) Mount

func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, storageView *BarrierView) error

Mount is used to expose a logical backend at a given prefix, using a unique salt, and the barrier view for that path.

func (*Router) Remount

func (r *Router) Remount(src, dst string) error

Remount is used to change the mount location of a logical backend

func (*Router) RootPath

func (r *Router) RootPath(path string) bool

RootPath checks if the given path requires root privileges

func (*Router) Route

func (r *Router) Route(req *logical.Request) (*logical.Response, error)

Route is used to route a given request

func (*Router) RouteExistenceCheck added in v0.5.0

func (r *Router) RouteExistenceCheck(req *logical.Request) (bool, bool, error)

Route is used to route a given existence check request

func (*Router) Taint

func (r *Router) Taint(path string) error

Taint is used to mark a path as tainted. This means only RollbackOperation RevokeOperation requests are allowed to proceed

func (*Router) Unmount

func (r *Router) Unmount(prefix string) error

Unmount is used to remove a logical backend from a given prefix

func (*Router) Untaint

func (r *Router) Untaint(path string) error

Untaint is used to unmark a path as tainted.

type Seal added in v0.6.0

type Seal interface {
	SetCore(*Core)
	Init() error
	Finalize() error

	StoredKeysSupported() bool
	SetStoredKeys([][]byte) error
	GetStoredKeys() ([][]byte, error)

	BarrierType() string
	BarrierConfig() (*SealConfig, error)
	SetBarrierConfig(*SealConfig) error

	RecoveryKeySupported() bool
	RecoveryType() string
	RecoveryConfig() (*SealConfig, error)
	SetRecoveryConfig(*SealConfig) error
	SetRecoveryKey([]byte) error
	VerifyRecoveryKey([]byte) error
}

type SealAccess added in v0.6.0

type SealAccess struct {
	// contains filtered or unexported fields
}

func (*SealAccess) BarrierConfig added in v0.6.0

func (s *SealAccess) BarrierConfig() (*SealConfig, error)

func (*SealAccess) RecoveryConfig added in v0.6.0

func (s *SealAccess) RecoveryConfig() (*SealConfig, error)

func (*SealAccess) RecoveryKeySupported added in v0.6.0

func (s *SealAccess) RecoveryKeySupported() bool

func (*SealAccess) SetSeal added in v0.6.0

func (s *SealAccess) SetSeal(seal Seal)

func (*SealAccess) StoredKeysSupported added in v0.6.0

func (s *SealAccess) StoredKeysSupported() bool

type SealConfig

type SealConfig struct {
	// The type, for sanity checking
	Type string `json:"type"`

	// SecretShares is the number of shares the secret is split into. This is
	// the N value of Shamir.
	SecretShares int `json:"secret_shares"`

	// SecretThreshold is the number of parts required to open the vault. This
	// is the T value of Shamir.
	SecretThreshold int `json:"secret_threshold"`

	// PGPKeys is the array of public PGP keys used, if requested, to encrypt
	// the output unseal tokens. If provided, it sets the value of
	// SecretShares. Ordering is important.
	PGPKeys []string `json:"pgp_keys"`

	// Nonce is a nonce generated by Vault used to ensure that when unseal keys
	// are submitted for a rekey operation, the rekey operation itself is the
	// one intended. This prevents hijacking of the rekey operation, since it
	// is unauthenticated.
	Nonce string `json:"nonce"`

	// Backup indicates whether or not a backup of PGP-encrypted unseal keys
	// should be stored at coreUnsealKeysBackupPath after successful rekeying.
	Backup bool `json:"backup"`

	// How many keys to store, for seals that support storage.
	StoredShares int `json:"stored_shares"`
}

SealConfig is used to describe the seal configuration

func (*SealConfig) Clone added in v0.6.0

func (s *SealConfig) Clone() *SealConfig

func (*SealConfig) Validate

func (s *SealConfig) Validate() error

Validate is used to sanity check the seal configuration

type SecurityBarrier

type SecurityBarrier interface {
	// Initialized checks if the barrier has been initialized
	// and has a master key set.
	Initialized() (bool, error)

	// Initialize works only if the barrier has not been initialized
	// and makes use of the given master key.
	Initialize([]byte) error

	// GenerateKey is used to generate a new key
	GenerateKey() ([]byte, error)

	// KeyLength is used to sanity check a key
	KeyLength() (int, int)

	// Sealed checks if the barrier has been unlocked yet. The Barrier
	// is not expected to be able to perform any CRUD until it is unsealed.
	Sealed() (bool, error)

	// Unseal is used to provide the master key which permits the barrier
	// to be unsealed. If the key is not correct, the barrier remains sealed.
	Unseal(key []byte) error

	// VerifyMaster is used to check if the given key matches the master key
	VerifyMaster(key []byte) error

	// SetMasterKey is used to directly set a new master key. This is used in
	// repliated scenarios due to the chicken and egg problem of reloading the
	// keyring from disk before we have the master key to decrypt it.
	SetMasterKey(key []byte) error

	// ReloadKeyring is used to re-read the underlying keyring.
	// This is used for HA deployments to ensure the latest keyring
	// is present in the leader.
	ReloadKeyring() error

	// ReloadMasterKey is used to re-read the underlying masterkey.
	// This is used for HA deployments to ensure the latest master key
	// is available for keyring reloading.
	ReloadMasterKey() error

	// Seal is used to re-seal the barrier. This requires the barrier to
	// be unsealed again to perform any further operations.
	Seal() error

	// Rotate is used to create a new encryption key. All future writes
	// should use the new key, while old values should still be decryptable.
	Rotate() (uint32, error)

	// CreateUpgrade creates an upgrade path key to the given term from the previous term
	CreateUpgrade(term uint32) error

	// DestroyUpgrade destroys the upgrade path key to the given term
	DestroyUpgrade(term uint32) error

	// CheckUpgrade looks for an upgrade to the current term and installs it
	CheckUpgrade() (bool, uint32, error)

	// ActiveKeyInfo is used to inform details about the active key
	ActiveKeyInfo() (*KeyInfo, error)

	// Rekey is used to change the master key used to protect the keyring
	Rekey([]byte) error

	// For replication we must send over the keyring, so this must be available
	Keyring() (*Keyring, error)

	// SecurityBarrier must provide the storage APIs
	BarrierStorage

	// SecurityBarrier must provide the encryption APIs
	BarrierEncryptor
}

SecurityBarrier is a critical component of Vault. It is used to wrap an untrusted physical backend and provide a single point of encryption, decryption and checksum verification. The goal is to ensure that any data written to the barrier is confidential and that integrity is preserved. As a real-world analogy, this is the steel and concrete wrapper around a Vault. The barrier should only be Unlockable given its key.

type SystemBackend

type SystemBackend struct {
	Core    *Core
	Backend *framework.Backend
}

SystemBackend implements logical.Backend and is used to interact with the core of the system. This backend is hardcoded to exist at the "sys" prefix. Conceptually it is similar to procfs on Linux.

type TestClusterCore added in v0.6.1

type TestClusterCore struct {
	*Core
	Listeners   []*TestListener
	Root        string
	BarrierKeys [][]byte
	CACertBytes []byte
	CACert      *x509.Certificate
	TLSConfig   *tls.Config
	ClusterID   string
	Client      *api.Client
}

func TestCluster added in v0.6.1

func TestCluster(t testing.TB, handlers []http.Handler, base *CoreConfig, unsealStandbys bool) []*TestClusterCore

func (*TestClusterCore) CloseListeners added in v0.6.1

func (t *TestClusterCore) CloseListeners()

type TestListener added in v0.6.1

type TestListener struct {
	net.Listener
	Address *net.TCPAddr
}

type TestSeal added in v0.6.5

type TestSeal struct {
	// contains filtered or unexported fields
}

func (*TestSeal) BarrierConfig added in v0.6.5

func (d *TestSeal) BarrierConfig() (*SealConfig, error)

func (*TestSeal) BarrierType added in v0.6.5

func (d *TestSeal) BarrierType() string

func (*TestSeal) Finalize added in v0.6.5

func (d *TestSeal) Finalize() error

func (*TestSeal) GetStoredKeys added in v0.6.5

func (d *TestSeal) GetStoredKeys() ([][]byte, error)

func (*TestSeal) Init added in v0.6.5

func (d *TestSeal) Init() error

func (*TestSeal) RecoveryConfig added in v0.6.5

func (d *TestSeal) RecoveryConfig() (*SealConfig, error)

func (*TestSeal) RecoveryKeySupported added in v0.6.5

func (d *TestSeal) RecoveryKeySupported() bool

func (*TestSeal) RecoveryType added in v0.6.5

func (d *TestSeal) RecoveryType() string

func (*TestSeal) SetBarrierConfig added in v0.6.5

func (d *TestSeal) SetBarrierConfig(config *SealConfig) error

func (*TestSeal) SetCore added in v0.6.5

func (d *TestSeal) SetCore(core *Core)

func (*TestSeal) SetRecoveryConfig added in v0.6.5

func (d *TestSeal) SetRecoveryConfig(config *SealConfig) error

func (*TestSeal) SetRecoveryKey added in v0.6.5

func (d *TestSeal) SetRecoveryKey(key []byte) error

func (*TestSeal) SetStoredKeys added in v0.6.5

func (d *TestSeal) SetStoredKeys(keys [][]byte) error

func (*TestSeal) StoredKeysSupported added in v0.6.5

func (d *TestSeal) StoredKeysSupported() bool

func (*TestSeal) VerifyRecoveryKey added in v0.6.5

func (d *TestSeal) VerifyRecoveryKey(key []byte) error

type TokenEntry

type TokenEntry struct {
	// ID of this entry, generally a random UUID
	ID string `json:"id" mapstructure:"id" structs:"id"`

	// Accessor for this token, a random UUID
	Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor"`

	// Parent token, used for revocation trees
	Parent string `json:"parent" mapstructure:"parent" structs:"parent"`

	// Which named policies should be used
	Policies []string `json:"policies" mapstructure:"policies" structs:"policies"`

	// Used for audit trails, this is something like "auth/user/login"
	Path string `json:"path" mapstructure:"path" structs:"path"`

	// Used for auditing. This could include things like "source", "user", "ip"
	Meta map[string]string `json:"meta" mapstructure:"meta" structs:"meta"`

	// Used for operators to be able to associate with the source
	DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"`

	// Used to restrict the number of uses (zero is unlimited). This is to
	// support one-time-tokens (generalized). There are a few special values:
	// if it's -1 it has run through its use counts and is executing its final
	// use; if it's -2 it is tainted, which means revocation is currently
	// running on it; and if it's -3 it's also tainted but revocation
	// previously ran and failed, so this hints the tidy function to try it
	// again.
	NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`

	// Time of token creation
	CreationTime int64 `json:"creation_time" mapstructure:"creation_time" structs:"creation_time"`

	// Duration set when token was created
	TTL time.Duration `json:"ttl" mapstructure:"ttl" structs:"ttl"`

	// Explicit maximum TTL on the token
	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"`

	// If set, the role that was used for parameters at creation time
	Role string `json:"role" mapstructure:"role" structs:"role"`

	// If set, the period of the token. This is only used when created directly
	// through the create endpoint; periods managed by roles or other auth
	// backends are subject to those renewal rules.
	Period time.Duration `json:"period" mapstructure:"period" structs:"period"`

	// These are the deprecated fields
	DisplayNameDeprecated    string        `json:"DisplayName" mapstructure:"DisplayName" structs:"DisplayName"`
	NumUsesDeprecated        int           `json:"NumUses" mapstructure:"NumUses" structs:"NumUses"`
	CreationTimeDeprecated   int64         `json:"CreationTime" mapstructure:"CreationTime" structs:"CreationTime"`
	ExplicitMaxTTLDeprecated time.Duration `json:"ExplicitMaxTTL" mapstructure:"ExplicitMaxTTL" structs:"ExplicitMaxTTL"`
}

TokenEntry is used to represent a given token

type TokenStore

type TokenStore struct {
	*framework.Backend
	// contains filtered or unexported fields
}

TokenStore is used to manage client tokens. Tokens are used for clients to authenticate, and each token is mapped to an applicable set of policy which is used for authorization.

func NewTokenStore

func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)

NewTokenStore is used to construct a token store that is backed by the given barrier view.

func (*TokenStore) Initialize added in v0.7.0

func (ts *TokenStore) Initialize() error

func (*TokenStore) Lookup

func (ts *TokenStore) Lookup(id string) (*TokenEntry, error)

Lookup is used to find a token given its ID. It acquires a read lock, then calls lookupSalted.

func (*TokenStore) Revoke

func (ts *TokenStore) Revoke(id string) error

Revoke is used to invalidate a given token, any child tokens will be orphaned.

func (*TokenStore) RevokeTree

func (ts *TokenStore) RevokeTree(id string) error

RevokeTree is used to invalide a given token and all child tokens.

func (*TokenStore) SaltID

func (ts *TokenStore) SaltID(id string) string

SaltID is used to apply a salt and hash to an ID to make sure its not reversible

func (*TokenStore) SetExpirationManager

func (ts *TokenStore) SetExpirationManager(exp *ExpirationManager)

SetExpirationManager is used to provide the token store with an expiration manager. This is used to manage prefix based revocation of tokens and to tidy entries when removed from the token store.

func (*TokenStore) UseToken

func (ts *TokenStore) UseToken(te *TokenEntry) (*TokenEntry, error)

UseToken is used to manage restricted use tokens and decrement their available uses. Returns two values: a potentially updated entry or, if the token has been revoked, nil; and whether an error was encountered. The locking here isn't perfect, as other parts of the code may update an entry, but usually none after the entry is already created...so this is pretty good.

func (*TokenStore) UseTokenByID added in v0.6.2

func (ts *TokenStore) UseTokenByID(id string) (*TokenEntry, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL