vault

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2015 License: MPL-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	PathPolicyDeny  = "deny"
	PathPolicyRead  = "read"
	PathPolicyWrite = "write"
	PathPolicySudo  = "sudo"
)

Variables

View Source 
var (
	// ErrBarrierSealed is returned if an operation is performed on
	// a sealed barrier. No operation is expected to succeed before unsealing
	ErrBarrierSealed = errors.New("Vault is sealed")

	// ErrBarrierAlreadyInit is returned if the barrier is already
	// initialized. This prevents a re-initialization.
	ErrBarrierAlreadyInit = errors.New("Vault is already initialized")

	// ErrBarrierNotInit is returned if a non-initialized barrier
	// is attempted to be unsealed.
	ErrBarrierNotInit = errors.New("Vault is not initialized")

	// ErrBarrierInvalidKey is returned if the Unseal key is invalid
	ErrBarrierInvalidKey = errors.New("Unseal failed, invalid key")
)
View Source 
var (
	// ErrSealed is returned if an operation is performed on
	// a sealed barrier. No operation is expected to succeed before unsealing
	ErrSealed = errors.New("Vault is sealed")

	// ErrStandby is returned if an operation is performed on
	// a standby Vault. No operation is expected to succeed until active.
	ErrStandby = errors.New("Vault is in standby mode")

	// ErrAlreadyInit is returned if the core is already
	// initialized. This prevents a re-initialization.
	ErrAlreadyInit = errors.New("Vault is already initialized")

	// ErrNotInit is returned if a non-initialized barrier
	// is attempted to be unsealed.
	ErrNotInit = errors.New("Vault is not initialized")

	// ErrInternalError is returned when we don't want to leak
	// any information about an internal error
	ErrInternalError = errors.New("internal error")

	// ErrHANotEnabled is returned if the operation only makes sense
	// in an HA setting
	ErrHANotEnabled = errors.New("Vault is not configured for highly-available mode")
)

Functions

func ClearView 

func ClearView(view *BarrierView) error

ClearView is used to delete all the keys in a view

func CollectKeys 

func CollectKeys(view *BarrierView) ([]string, error)

CollectKeys is used to collect all the keys in a view

func LockMemory 

func LockMemory() error

LockMemory is used to prevent any memory from being swapped to disk

func NewSystemBackend 

func NewSystemBackend(core *Core) logical.Backend

func PassthroughBackendFactory 

func PassthroughBackendFactory(map[string]string) (logical.Backend, error)

logical.Factory

func ScanView 

func ScanView(view *BarrierView, cb func(path string)) error

ScanView is used to scan all the keys in a view iteratively

func TestCoreInit 

func TestCoreInit(t *testing.T, core *Core) ([]byte, string)

TestCoreInit initializes the core with a single key, and returns the key that must be used to unseal the core and a root token.

func TestKeyCopy 

func TestKeyCopy(key []byte) []byte

TestKeyCopy is a silly little function to just copy the key so that it can be used with Unseal easily.

Types

type ACL 

type ACL struct {
	// contains filtered or unexported fields
}

ACL is used to wrap a set of policies to provide an efficient interface for access control.

func NewACL 

func NewACL(policies []*Policy) (*ACL, error)

New is used to construct a policy based ACL from a set of policies.

func (*ACL) AllowOperation 

func (a *ACL) AllowOperation(op logical.Operation, path string) bool

AllowOperation is used to check if the given operation is permitted

func (*ACL) RootPrivilege 

func (a *ACL) RootPrivilege(path string) bool

RootPrivilege checks if the user has root level permission to given path. This requires that the user be root, or that sudo privilege is available on that path.

type AESGCMBarrier 

type AESGCMBarrier struct {
	// contains filtered or unexported fields
}

AESGCMBarrier is a SecurityBarrier implementation that uses the AES cipher core and the Galois Counter Mode block mode. It defaults to the golang NONCE default value of 12 and a key size of 256 bit. AES-GCM is high performance, and provides both confidentiality and integrity.

func NewAESGCMBarrier 

func NewAESGCMBarrier(physical physical.Backend) (*AESGCMBarrier, error)

NewAESGCMBarrier is used to construct a new barrier that uses the provided physical backend for storage.

func (*AESGCMBarrier) Delete 

func (b *AESGCMBarrier) Delete(key string) error

Delete is used to permanently delete an entry

func (*AESGCMBarrier) GenerateKey 

func (b *AESGCMBarrier) GenerateKey() ([]byte, error)

GenerateKey is used to generate a new key

func (*AESGCMBarrier) Get 

func (b *AESGCMBarrier) Get(key string) (*Entry, error)

Get is used to fetch an entry

func (*AESGCMBarrier) Initialize 

func (b *AESGCMBarrier) Initialize(key []byte) error

Initialize works only if the barrier has not been initialized and makes use of the given master key.

func (*AESGCMBarrier) Initialized 

func (b *AESGCMBarrier) Initialized() (bool, error)

Initialized checks if the barrier has been initialized and has a master key set.

func (*AESGCMBarrier) KeyLength 

func (b *AESGCMBarrier) KeyLength() (int, int)

KeyLength is used to sanity check a key

func (*AESGCMBarrier) List 

func (b *AESGCMBarrier) List(prefix string) ([]string, error)

List is used ot list all the keys under a given prefix, up to the next prefix.

func (*AESGCMBarrier) Put 

func (b *AESGCMBarrier) Put(entry *Entry) error

Put is used to insert or update an entry

func (*AESGCMBarrier) Seal 

func (b *AESGCMBarrier) Seal() error

Seal is used to re-seal the barrier. This requires the barrier to be unsealed again to perform any further operations.

func (*AESGCMBarrier) Sealed 

func (b *AESGCMBarrier) Sealed() (bool, error)

Sealed checks if the barrier has been unlocked yet. The Barrier is not expected to be able to perform any CRUD until it is unsealed.

func (*AESGCMBarrier) Unseal 

func (b *AESGCMBarrier) Unseal(key []byte) error

Unseal is used to provide the master key which permits the barrier to be unsealed. If the key is not correct, the barrier remains sealed.

type AuditBroker 

type AuditBroker struct {
	// contains filtered or unexported fields
}

AuditBroker is used to provide a single ingest interface to auditable events given that multiple backends may be configured.

func NewAuditBroker 

func NewAuditBroker(log *log.Logger) *AuditBroker

NewAuditBroker creates a new audit broker

func (*AuditBroker) Deregister 

func (a *AuditBroker) Deregister(name string)

Deregister is used to remove an audit backend from the broker

func (*AuditBroker) IsRegistered 

func (a *AuditBroker) IsRegistered(name string) bool

IsRegistered is used to check if a given audit backend is registered

func (*AuditBroker) LogRequest 

func (a *AuditBroker) LogRequest(auth *logical.Auth, req *logical.Request) error

LogRequest is used to ensure all the audit backends have an opportunity to log the given request and that *at least one* succeeds.

func (*AuditBroker) LogResponse 

func (a *AuditBroker) LogResponse(auth *logical.Auth, req *logical.Request,
	resp *logical.Response, err error) error

LogResponse is used to ensure all the audit backends have an opportunity to log the given response and that *at least one* succeeds.

func (*AuditBroker) Register 

func (a *AuditBroker) Register(name string, b audit.Backend, v *BarrierView)

Register is used to add new audit backend to the broker

type BarrierStorage 

type BarrierStorage interface {
	// Put is used to insert or update an entry
	Put(entry *Entry) error

	// Get is used to fetch an entry
	Get(key string) (*Entry, error)

	// Delete is used to permanently delete an entry
	Delete(key string) error

	// List is used ot list all the keys under a given
	// prefix, up to the next prefix.
	List(prefix string) ([]string, error)
}

BarrierStorage is the storage only interface required for a Barrier.

type BarrierView 

type BarrierView struct {
	// contains filtered or unexported fields
}

BarrierView wraps a SecurityBarrier and ensures all access is automatically prefixed. This is used to prevent anyone with access to the view to access any data in the durable storage outside of their prefix. Conceptually this is like a "chroot" into the barrier.

BarrierView implements logical.Storage so it can be passed in as the durable storage mechanism for logical views.

func NewBarrierView 

func NewBarrierView(barrier BarrierStorage, prefix string) *BarrierView

NewBarrierView takes an underlying security barrier and returns a view of it that can only operate with the given prefix.

func (*BarrierView) Delete 

func (v *BarrierView) Delete(key string) error

logical.Storage impl.

func (*BarrierView) Get 

func (v *BarrierView) Get(key string) (*logical.StorageEntry, error)

logical.Storage impl.

func (*BarrierView) List 

func (v *BarrierView) List(prefix string) ([]string, error)

logical.Storage impl.

func (*BarrierView) Put 

func (v *BarrierView) Put(entry *logical.StorageEntry) error

logical.Storage impl.

func (*BarrierView) SubView 

func (v *BarrierView) SubView(prefix string) *BarrierView

SubView constructs a nested sub-view using the given prefix

type Core 

type Core struct {
	// contains filtered or unexported fields
}

Core is used as the central manager of Vault activity. It is the primary point of interface for API handlers and is responsible for managing the logical and physical backends, router, security barrier, and audit trails.

func NewCore 

func NewCore(conf *CoreConfig) (*Core, error)

NewCore isk used to construct a new core

func TestCore 

func TestCore(t *testing.T) *Core

TestCore returns a pure in-memory, uninitialized core for testing.

func TestCoreUnsealed 

func TestCoreUnsealed(t *testing.T) (*Core, []byte, string)

TestCoreUnsealed returns a pure in-memory core that is already initialized and unsealed.

func (*Core) HandleRequest 

func (c *Core) HandleRequest(req *logical.Request) (*logical.Response, error)

HandleRequest is used to handle a new incoming request

func (*Core) Initialize 

func (c *Core) Initialize(config *SealConfig) (*InitResult, error)

Initialize is used to initialize the Vault with the given configurations.

func (*Core) Initialized 

func (c *Core) Initialized() (bool, error)

Initialized checks if the Vault is already initialized

func (*Core) Leader 

func (c *Core) Leader() (bool, string, error)

Leader is used to get the current active leader

func (*Core) Seal 

func (c *Core) Seal(token string) error

Seal is used to re-seal the Vault. This requires the Vault to be unsealed again to perform any further operations.

func (*Core) SealConfig 

func (c *Core) SealConfig() (*SealConfig, error)

SealConfiguration is used to return information about the configuration of the Vault and it's current status.

func (*Core) Sealed 

func (c *Core) Sealed() (bool, error)

Sealed checks if the Vault is current sealed

func (*Core) SecretProgress 

func (c *Core) SecretProgress() int

SecretProgress returns the number of keys provided so far

func (*Core) Standby 

func (c *Core) Standby() (bool, error)

Standby checks if the Vault is in standby mode

func (*Core) Unseal 

func (c *Core) Unseal(key []byte) (bool, error)

Unseal is used to provide one of the key parts to unseal the Vault.

They key given as a parameter will automatically be zerod after this method is done with it. If you want to keep the key around, a copy should be made.

type CoreConfig 

type CoreConfig struct {
	LogicalBackends    map[string]logical.Factory
	CredentialBackends map[string]logical.Factory
	AuditBackends      map[string]audit.Factory
	Physical           physical.Backend
	Logger             *log.Logger
	DisableCache       bool   // Disables the LRU cache on the physical backend
	DisableMlock       bool   // Disables mlock syscall
	CacheSize          int    // Custom cache size of zero for default
	AdvertiseAddr      string // Set as the leader address for HA
}

CoreConfig is used to parameterize a core

type Entry 

type Entry struct {
	Key   string
	Value []byte
}

Entry is used to represent data stored by the security barrier

func (*Entry) Logical 

func (e *Entry) Logical() *logical.StorageEntry

Logical turns the Entry into a logical storage entry.

type ErrInvalidKey 

type ErrInvalidKey struct {
	Reason string
}

ErrInvalidKey is returned if there is an error with a provided unseal key.

func (*ErrInvalidKey) Error 

func (e *ErrInvalidKey) Error() string

type ExpirationManager 

type ExpirationManager struct {
	// contains filtered or unexported fields
}

ExpirationManager is used by the Core to manage leases. Secrets can provide a lease, meaning that they can be renewed or revoked. If a secret is not renewed in timely manner, it may be expired, and the ExpirationManager will handle doing automatic revocation.

func NewExpirationManager 

func NewExpirationManager(router *Router, view *BarrierView, ts *TokenStore, logger *log.Logger) *ExpirationManager

NewExpirationManager creates a new ExpirationManager that is backed using a given view, and uses the provided router for revocation.

func (*ExpirationManager) Register 

func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Response) (string, error)

Register is used to take a request and response with an associated lease. The secret gets assigned a LeaseID and the management of of lease is assumed by the expiration manager.

func (*ExpirationManager) RegisterAuth 

func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) error

RegisterAuth is used to take an Auth response with an associated lease. The token does not get a LeaseID, but the lease management is handled by the expiration manager.

func (*ExpirationManager) Renew 

func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*logical.Response, error)

Renew is used to renew a secret using the given leaseID and a renew interval. The increment may be ignored.

func (*ExpirationManager) RenewToken 

func (m *ExpirationManager) RenewToken(source string, token string,
	increment time.Duration) (*logical.Auth, error)

RenewToken is used to renew a token which does not need to invoke a logical backend.

func (*ExpirationManager) Restore 

func (m *ExpirationManager) Restore() error

Restore is used to recover the lease states when starting. This is used after starting the vault.

func (*ExpirationManager) Revoke 

func (m *ExpirationManager) Revoke(leaseID string) error

Revoke is used to revoke a secret named by the given LeaseID

func (*ExpirationManager) RevokeByToken 

func (m *ExpirationManager) RevokeByToken(token string) error

RevokeByToken is used to revoke all the secrets issued with a given token. This is done by using the secondary index.

func (*ExpirationManager) RevokePrefix 

func (m *ExpirationManager) RevokePrefix(prefix string) error

RevokePrefix is used to revoke all secrets with a given prefix. The prefix maps to that of the mount table to make this simpler to reason about.

func (*ExpirationManager) Stop 

func (m *ExpirationManager) Stop() error

Stop is used to prevent further automatic revocations. This must be called before sealing the view.

type InitResult 

type InitResult struct {
	SecretShares [][]byte
	RootToken    string
}

InitResult is used to provide the key parts back after they are generated as part of the initialization.

type MountEntry 

type MountEntry struct {
	Path        string            `json:"path"`              // Mount Path
	Type        string            `json:"type"`              // Logical backend Type
	Description string            `json:"description"`       // User-provided description
	UUID        string            `json:"uuid"`              // Barrier view UUID
	Options     map[string]string `json:"options"`           // Backend configuration
	Tainted     bool              `json:"tainted,omitempty"` // Set as a Write-Ahead flag for unmount/remount
}

MountEntry is used to represent a mount table entry

func (*MountEntry) Clone 

func (e *MountEntry) Clone() *MountEntry

Returns a deep copy of the mount entry

type MountTable 

type MountTable struct {
	// This lock should be held whenever modifying the Entries field.
	sync.RWMutex

	Entries []*MountEntry `json:"entries"`
}

MountTable is used to represent the internal mount table

func (*MountTable) Clone 

func (t *MountTable) Clone() *MountTable

Returns a deep copy of the mount table

func (*MountTable) Find 

func (t *MountTable) Find(path string) *MountEntry

Find is used to lookup an entry

func (*MountTable) Hash 

func (t *MountTable) Hash() ([]byte, error)

Hash is used to generate a hash value for the mount table

func (*MountTable) Remove 

func (t *MountTable) Remove(path string) bool

Remove is used to remove a given path entry

func (*MountTable) SetTaint 

func (t *MountTable) SetTaint(path string, value bool) bool

SetTaint is used to set the taint on given entry

type PassthroughBackend 

type PassthroughBackend struct {
	*framework.Backend
}

PassthroughBackend is used storing secrets directly into the physical backend. The secrest are encrypted in the durable storage and custom lease information can be specified, but otherwise this backend doesn't do anything fancy.

type PathPolicy 

type PathPolicy struct {
	Prefix string `hcl:",key"`
	Policy string
}

PathPolicy represents a policy for a path in the namespace

type Policy 

type Policy struct {
	Name  string        `hcl:"name"`
	Paths []*PathPolicy `hcl:"path,expand"`
	Raw   string
}

Policy is used to represent the policy specified by an ACL configuration.

func Parse 

func Parse(rules string) (*Policy, error)

Parse is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

type PolicyStore 

type PolicyStore struct {
	// contains filtered or unexported fields
}

PolicyStore is used to provide durable storage of policy, and to manage ACLs associated with them.

func NewPolicyStore 

func NewPolicyStore(view *BarrierView) *PolicyStore

NewPolicyStore creates a new PolicyStore that is backed using a given view. It used used to durable store and manage named policy.

func (*PolicyStore) ACL 

func (ps *PolicyStore) ACL(names ...string) (*ACL, error)

ACL is used to return an ACL which is built using the named policies.

func (*PolicyStore) DeletePolicy 

func (ps *PolicyStore) DeletePolicy(name string) error

DeletePolicy is used to delete the named policy

func (*PolicyStore) GetPolicy 

func (ps *PolicyStore) GetPolicy(name string) (*Policy, error)

GetPolicy is used to fetch the named policy

func (*PolicyStore) ListPolicies 

func (ps *PolicyStore) ListPolicies() ([]string, error)

ListPolicies is used to list the available policies

func (*PolicyStore) SetPolicy 

func (ps *PolicyStore) SetPolicy(p *Policy) error

SetPolicy is used to create or update the given policy

type RollbackManager 

type RollbackManager struct {
	// contains filtered or unexported fields
}

RollbackManager is responsible for performing rollbacks of partial secrets within logical backends.

During normal operations, it is possible for logical backends to error partially through an operation. These are called "partial secrets": they are never sent back to a user, but they do need to be cleaned up. This manager handles that by periodically (on a timer) requesting that the backends clean up.

The RollbackManager periodically initiates a logical.RollbackOperation on every mounted logical backend. It ensures that only one rollback operation is in-flight at any given time within a single seal/unseal phase.

func NewRollbackManager 

func NewRollbackManager(logger *log.Logger, mounts *MountTable, router *Router) *RollbackManager

NewRollbackManager is used to create a new rollback manager

func (*RollbackManager) Rollback 

func (m *RollbackManager) Rollback(path string) error

Rollback is used to trigger an immediate rollback of the path, or to join an existing rollback operation if in flight.

func (*RollbackManager) Start 

func (m *RollbackManager) Start()

Start starts the rollback manager

func (*RollbackManager) Stop 

func (m *RollbackManager) Stop()

Stop stops the running manager. This will wait for any in-flight rollbacks to complete.

type Router 

type Router struct {
	// contains filtered or unexported fields
}

Router is used to do prefix based routing of a request to a logical backend

func NewRouter 

func NewRouter() *Router

NewRouter returns a new router

func (*Router) LoginPath 

func (r *Router) LoginPath(path string) bool

LoginPath checks if the given path is used for logins

func (*Router) MatchingMount 

func (r *Router) MatchingMount(path string) string

MatchingMount returns the mount prefix that would be used for a path

func (*Router) MatchingView 

func (r *Router) MatchingView(path string) *BarrierView

MatchingView returns the view used for a path

func (*Router) Mount 

func (r *Router) Mount(backend logical.Backend, prefix, salt string, view *BarrierView) error

Mount is used to expose a logical backend at a given prefix, using a unique salt, and the barrier view for that path.

func (*Router) Remount 

func (r *Router) Remount(src, dst string) error

Remount is used to change the mount location of a logical backend

func (*Router) RootPath 

func (r *Router) RootPath(path string) bool

RootPath checks if the given path requires root privileges

func (*Router) Route 

func (r *Router) Route(req *logical.Request) (*logical.Response, error)

Route is used to route a given request

func (*Router) Taint 

func (r *Router) Taint(path string) error

Taint is used to mark a path as tainted. This means only RollbackOperation RenewOperation requests are allowed to proceed

func (*Router) Unmount 

func (r *Router) Unmount(prefix string) error

Unmount is used to remove a logical backend from a given prefix

func (*Router) Untaint 

func (r *Router) Untaint(path string) error

Untaint is used to unmark a path as tainted.

type SealConfig 

type SealConfig struct {
	// SecretShares is the number of shares the secret is
	// split into. This is the N value of Shamir
	SecretShares int `json:"secret_shares"`

	// SecretThreshold is the number of parts required
	// to open the vault. This is the T value of Shamir
	SecretThreshold int `json:"secret_threshold"`
}

SealConfig is used to describe the seal configuration

func (*SealConfig) Validate 

func (s *SealConfig) Validate() error

Validate is used to sanity check the seal configuration

type SecurityBarrier 

type SecurityBarrier interface {
	// Initialized checks if the barrier has been initialized
	// and has a master key set.
	Initialized() (bool, error)

	// Initialize works only if the barrier has not been initialized
	// and makes use of the given master key.
	Initialize([]byte) error

	// GenerateKey is used to generate a new key
	GenerateKey() ([]byte, error)

	// KeyLength is used to sanity check a key
	KeyLength() (int, int)

	// Sealed checks if the barrier has been unlocked yet. The Barrier
	// is not expected to be able to perform any CRUD until it is unsealed.
	Sealed() (bool, error)

	// Unseal is used to provide the master key which permits the barrier
	// to be unsealed. If the key is not correct, the barrier remains sealed.
	Unseal(key []byte) error

	// Seal is used to re-seal the barrier. This requires the barrier to
	// be unsealed again to perform any further operations.
	Seal() error

	// SecurityBarrier must provide the storage APIs
	BarrierStorage
}

SecurityBarrier is a critical component of Vault. It is used to wrap an untrusted physical backend and provide a single point of encryption, decryption and checksum verification. The goal is to ensure that any data written to the barrier is confidential and that integrity is preserved. As a real-world analogy, this is the steel and concrete wrapper around a Vault. The barrier should only be Unlockable given its key.

type SystemBackend 

type SystemBackend struct {
	Core *Core
}

SystemBackend implements logical.Backend and is used to interact with the core of the system. This backend is hardcoded to exist at the "sys" prefix. Conceptually it is similar to procfs on Linux.

type TokenEntry 

type TokenEntry struct {
	ID          string            // ID of this entry, generally a random UUID
	Parent      string            // Parent token, used for revocation trees
	Policies    []string          // Which named policies should be used
	Path        string            // Used for audit trails, this is something like "auth/user/login"
	Meta        map[string]string // Used for auditing. This could include things like "source", "user", "ip"
	DisplayName string            // Used for operators to be able to associate with the source
	NumUses     int               // Used to restrict the number of uses (zero is unlimited). This is to support one-time-tokens (generalized).
}

TokenEntry is used to represent a given token

type TokenStore 

type TokenStore struct {
	*framework.Backend
	// contains filtered or unexported fields
}

TokenStore is used to manage client tokens. Tokens are used for clients to authenticate, and each token is mapped to an applicable set of policy which is used for authorization.

func NewTokenStore 

func NewTokenStore(c *Core) (*TokenStore, error)

NewTokenStore is used to construct a token store that is backed by the given barrier view.

func (*TokenStore) Create 

func (ts *TokenStore) Create(entry *TokenEntry) error

Create is used to create a new token entry. The entry is assigned a newly generated ID if not provided.

func (*TokenStore) Lookup 

func (ts *TokenStore) Lookup(id string) (*TokenEntry, error)

Lookup is used to find a token given its ID

func (*TokenStore) Revoke 

func (ts *TokenStore) Revoke(id string) error

Revoke is used to invalidate a given token, any child tokens will be orphaned.

func (*TokenStore) RevokeTree 

func (ts *TokenStore) RevokeTree(id string) error

RevokeTree is used to invalide a given token and all child tokens.

func (*TokenStore) RootToken 

func (ts *TokenStore) RootToken() (*TokenEntry, error)

RootToken is used to generate a new token with root privileges and no parent

func (*TokenStore) SaltID 

func (ts *TokenStore) SaltID(id string) string

SaltID is used to apply a salt and hash to an ID to make sure its not reversable

func (*TokenStore) SetExpirationManager 

func (t *TokenStore) SetExpirationManager(exp *ExpirationManager)

SetExpirationManager is used to provide the token store with an expiration manager. This is used to manage prefix based revocation of tokens and to cleanup entries when removed from the token store.

func (*TokenStore) UseToken 

func (ts *TokenStore) UseToken(te *TokenEntry) error

UseToken is used to manage restricted use tokens and decrement their available uses.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.