Documentation
¶
Index ¶
- Constants
- Variables
- func TestStorage(t *testing.T, s Storage)
- func UUID() (string, error)
- type Auth
- type Backend
- type Connection
- type Factory
- type InmemStorage
- type LeaseOptions
- type Operation
- type Paths
- type Request
- func RenewAuthRequest(path string, auth *Auth, data map[string]interface{}) *Request
- func RenewRequest(path string, secret *Secret, data map[string]interface{}) *Request
- func RevokeRequest(path string, secret *Secret, data map[string]interface{}) *Request
- func RollbackRequest(path string) *Request
- func TestRequest(t *testing.T, op Operation, path string) *Request
- type Response
- type Secret
- type Storage
- type StorageEntry
Constants ¶
const ( // The operations below are called per path ReadOperation Operation = "read" WriteOperation = "write" DeleteOperation = "delete" ListOperation = "list" HelpOperation = "help" // The operations below are called globally, the path is less relevant. RevokeOperation Operation = "revoke" RenewOperation = "renew" RollbackOperation = "rollback" )
Variables ¶
var ( // ErrUnsupportedOperation is returned if the operation is not supported // by the logical backend. ErrUnsupportedOperation = errors.New("unsupported operation") // ErrUnsupportedPath is returned if the path is not supported // by the logical backend. ErrUnsupportedPath = errors.New("unsupported path") // ErrInvalidRequest is returned if the request is invalid ErrInvalidRequest = errors.New("invalid request") // ErrPermissionDeneid is returned if the client is not authorized ErrPermissionDenied = errors.New("permission denied") )
Functions ¶
func TestStorage ¶
TestStorage is a helper that can be used from unit tests to verify the behavior of a Storage impl.
Types ¶
type Auth ¶
type Auth struct {
LeaseOptions
// InternalData is JSON-encodable data that is stored with the auth struct.
// This will be sent back during a Renew/Revoke for storing internal data
// used for those operations.
InternalData map[string]interface{}
// DisplayName is a non-security sensitive identifier that is
// applicable to this Auth. It is used for logging and prefixing
// of dynamic secrets. For example, DisplayName may be "armon" for
// the github credential backend. If the client token is used to
// generate a SQL credential, the user may be "github-armon-uuid".
// This is to help identify the source without using audit tables.
DisplayName string
// Policies is the list of policies that the authenticated user
// is associated with.
Policies []string
// Metadata is used to attach arbitrary string-type metadata to
// an authenticated user. This metadata will be outputted into the
// audit log.
Metadata map[string]string
// ClientToken is the token that is generated for the authentication.
// This will be filled in by Vault core when an auth structure is
// returned. Setting this manually will have no effect.
ClientToken string
}
Auth is the resulting authentication information that is part of Response for credential backends.
type Backend ¶
type Backend interface {
// HandleRequest is used to handle a request and generate a response.
// The backends must check the operation type and handle appropriately.
HandleRequest(*Request) (*Response, error)
// SpecialPaths is a list of paths that are special in some way.
// See PathType for the types of special paths. The key is the type
// of the special path, and the value is a list of paths for this type.
// This is not a regular expression but is an exact match. If the path
// ends in '*' then it is a prefix-based match. The '*' can only appear
// at the end.
SpecialPaths() *Paths
// SetLogger is called to set the logger for the backend. The backend
// should use this logger. The log should not contain any secrets.
// It should not be assumed that this function will be called every time.
//
// SetLogger will not be called by Vault core in parallel, and
// therefore doesn't need any lock protection.
SetLogger(*log.Logger)
}
Backend interface must be implemented to be "mountable" at a given path. Requests flow through a router which has various mount points that flow to a logical backend. The logic of each backend is flexible, and this is what allows materialized keys to function. There can be specialized logical backends for various upstreams (Consul, PostgreSQL, MySQL, etc) that can interact with remote APIs to generate keys dynamically. This interface also allows for a "procfs" like interaction, as internal state can be exposed by acting like a logical backend and being mounted.
type Connection ¶
type Connection struct {
// RemoteAddr is the network address that sent the request.
RemoteAddr string
// ConnState is the TLS connection state if applicable.
ConnState *tls.ConnectionState
}
Connection represents the connection information for a request. This is present on the Request structure for credential backends.
type InmemStorage ¶
type InmemStorage struct {
Data map[string]*StorageEntry
// contains filtered or unexported fields
}
InmemStorage implements Storage and stores all data in memory.
func (*InmemStorage) Delete ¶
func (s *InmemStorage) Delete(k string) error
func (*InmemStorage) Get ¶
func (s *InmemStorage) Get(key string) (*StorageEntry, error)
func (*InmemStorage) Put ¶
func (s *InmemStorage) Put(entry *StorageEntry) error
type LeaseOptions ¶
type LeaseOptions struct {
// Lease is the duration that this secret is valid for. Vault
// will automatically revoke it after the duration + grace period.
Lease time.Duration `json:"lease"`
LeaseGracePeriod time.Duration `json:"lease_grace_period"`
// Renewable, if true, means that this secret can be renewed.
Renewable bool `json:"renewable"`
// LeaseIncrement will be the lease increment that the user requested.
// This is only available on a Renew operation and has no effect
// when returning a response.
LeaseIncrement time.Duration `json:"-"`
// LeaseIssue is the time of issue for the original lease. This is
// only available on a Renew operation and has no effect when returning
// a response. It can be used to enforce maximum lease periods by
// a logical backend. This time will always be in UTC.
LeaseIssue time.Time `json:"-"`
}
LeaseOptions is an embeddable struct to capture common lease settings between a Secret and Auth
func (*LeaseOptions) ExpirationTime ¶
func (l *LeaseOptions) ExpirationTime() time.Time
ExpirationTime computes the time until expiration including the grace period
func (*LeaseOptions) IncrementedLease ¶
func (l *LeaseOptions) IncrementedLease(inc time.Duration) time.Duration
IncrementedLease returns the lease duration that would need to set in order to increment the _current_ lease by the given duration if the auth were re-issued right now.
func (*LeaseOptions) LeaseEnabled ¶
func (l *LeaseOptions) LeaseEnabled() bool
LeaseEnabled checks if leasing is enabled
func (*LeaseOptions) LeaseTotal ¶
func (l *LeaseOptions) LeaseTotal() time.Duration
LeaseTotal is the total lease time including the grace period
type Operation ¶
type Operation string
Operation is an enum that is used to specify the type of request being made
type Paths ¶
type Paths struct {
// Root are the paths that require a root token to access
Root []string
// Unauthenticated are the paths that can be accessed without any auth.
Unauthenticated []string
}
Paths is the structure of special paths that is used for SpecialPaths.
type Request ¶
type Request struct {
// Operation is the requested operation type
Operation Operation
// Path is the part of the request path not consumed by the
// routing. As an example, if the original request path is "prod/aws/foo"
// and the AWS logical backend is mounted at "prod/aws/", then the
// final path is "foo" since the mount prefix is trimmed.
Path string
// Request data is an opaque map that must have string keys.
Data map[string]interface{}
// Storage can be used to durably store and retrieve state.
Storage Storage
// Secret will be non-nil only for Revoke and Renew operations
// to represent the secret that was returned prior.
Secret *Secret
// Auth will be non-nil only for Renew operations
// to represent the auth that was returned prior.
Auth *Auth
// Connection will be non-nil only for credential providers to
// inspect the connection information and potentially use it for
// authentication/protection.
Connection *Connection
// ClientToken is provided to the core so that the identity
// can be verified and ACLs applied. This value is passed
// through to the logical backends but after being salted and
// hashed.
ClientToken string
// DisplayName is provided to the logical backend to help associate
// dynamic secrets with the source entity. This is not a sensitive
// name, but is useful for operators.
DisplayName string
}
Request is a struct that stores the parameters and context of a request being made to Vault. It is used to abstract the details of the higher level request protocol from the handlers.
func RenewAuthRequest ¶
RenewAuthRequest creates the structure of the renew request for an auth.
func RenewRequest ¶
RenewRequest creates the structure of the renew request.
func RevokeRequest ¶
RevokeRequest creates the structure of the revoke request.
func RollbackRequest ¶
RollbackRequest creates the structure of the revoke request.
func TestRequest ¶
TestRequest is a helper to create a purely in-memory Request struct.
type Response ¶
type Response struct {
// Secret, if not nil, denotes that this response represents a secret.
Secret *Secret
// Auth, if not nil, contains the authentication information for
// this response. This is only checked and means something for
// credential backends.
Auth *Auth
// Response data is an opaque map that must have string keys. For
// secrets, this data is sent down to the user as-is. To store internal
// data that you don't want the user to see, store it in
// Secret.InternalData.
Data map[string]interface{}
// Redirect is an HTTP URL to redirect to for further authentication.
// This is only valid for credential backends. This will be blanked
// for any logical backend and ignored.
Redirect string
}
Response is a struct that stores the response of a request. It is used to abstract the details of the higher level request protocol.
func ErrorResponse ¶
ErrorResponse is used to format an error response
func HelpResponse ¶
HelpResponse is used to format a help response
func ListResponse ¶
ListResponse is used to format a response to a list operation.
type Secret ¶
type Secret struct {
LeaseOptions
// InternalData is JSON-encodable data that is stored with the secret.
// This will be sent back during a Renew/Revoke for storing internal data
// used for those operations.
InternalData map[string]interface{} `json:"internal_data"`
// LeaseID is the ID returned to the user to manage this secret.
// This is generated by Vault core. Any set value will be ignored.
// For requests, this will always be blank.
LeaseID string
}
Secret represents the secret part of a response.
type Storage ¶
type Storage interface {
List(prefix string) ([]string, error)
Get(string) (*StorageEntry, error)
Put(*StorageEntry) error
Delete(string) error
}
Storage is the way that logical backends are able read/write data.
type StorageEntry ¶
StorageEntry is the entry for an item in a Storage implementation.
func StorageEntryJSON ¶
func StorageEntryJSON(k string, v interface{}) (*StorageEntry, error)
StorageEntryJSON creates a StorageEntry with a JSON-encoded value.
func (*StorageEntry) DecodeJSON ¶
func (e *StorageEntry) DecodeJSON(out interface{}) error
Source Files
Directories