api

package
Version: v0.33.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 20, 2021 License: Apache-2.0 Imports: 20 Imported by: 4

Documentation

Overview

Package api provides request and response types for interacting with the SecretHub API.

Index

Constants

View Source
const (
	AuditSubjectAccount       = "account"
	AuditSubjectUser          = "user"
	AuditSubjectService       = "service"
	AuditSubjectSecret        = "secret"
	AuditSubjectSecretVersion = "secret_version"
	AuditSubjectSecretKey     = "secret_key"
	AuditSubjectSecretMember  = "permission"
	AuditSubjectRepo          = "repo"
	AuditSubjectRepoMember    = "repo_member"
	AuditSubjectRepoKey       = "repo_key"
)

The different options for an AuditSubjectType.

View Source
const (
	AuthMethodAWSSTS            = "aws-sts"
	AuthMethodGCPServiceAccount = "gcp-service-account"
)

AuthMethod options

View Source
const (
	CredentialMetadataAWSKMSKey = "aws_kms_key_id"
	CredentialMetadataAWSRole   = "aws_role"

	CredentialMetadataGCPKMSKeyResourceID    = "gcp_kms_resource_id"
	CredentialMetadataGCPServiceAccountEmail = "gcp_service_account_email"
)

Credential metadata keys

View Source
const (
	EncryptionAlgorithmAESGCM  EncryptionAlgorithm = "aes-gcm"
	EncryptionAlgorithmRSAOEAP EncryptionAlgorithm = "rsa-oaep"
	EncryptionAlgorithmAWSKMS  EncryptionAlgorithm = "aws-kms"
	EncryptionAlgorithmGCPKMS  EncryptionAlgorithm = "gcp-kms"

	HashingAlgorithmSHA256 HashingAlgorithm = "sha-256"
)

Supported values for EncryptionAlgorithm.

View Source
const (
	OrgRoleAdmin  = "admin"
	OrgRoleMember = "member"
)

Roles

View Source
const (
	// StatusOK signals everything is in order.
	StatusOK = "ok"
	// StatusFlagged signals that a resource should be considered compromised and should be rotated/no longer used.
	StatusFlagged = "flagged"
	// StatusFailed signals that revocation cannot complete.
	StatusFailed = "failed"
)

Status Constants

View Source
const (
	// CredentialProofPrefixAWS is the prefix to use in AWS STS proof plaintext.
	CredentialProofPrefixAWS = "secrethub-allow-role="
)
View Source
const (
	// MaxEncryptedSecretSize is the maximum size of EncryptedSecretVersion.EncryptedData.
	MaxEncryptedSecretSize = (512*4/3 + 5) * units.KiB // 512 KiB corrected for base64 overhead (4/3) and metadata
)
View Source
const (
	ShortCredentialFingerprintMinimumLength = 10
)

Variables

View Source
var (
	ErrInvalidAccountName = errAPI.Code("invalid_account_name").Error("An account name either needs to be an username or a servicename")
	ErrInvalidKeyID       = errAPI.Code("invalid_key_id").Error("id of the provided account key is invalid")

	ServiceNamePrefix = "s-"
)

Errors

View Source
var (
	ErrAccountNotKeyed    = errAPI.Code("account_not_keyed").StatusError("User has not yet keyed their account", http.StatusBadRequest)
	ErrAccountKeyNotFound = errAPI.Code("account_key_not_found").StatusError("User has not yet keyed their account", http.StatusNotFound)
	ErrIllegalKeyVersion  = errHub.Code("illegal_key_version").StatusError("key_version should be either v1 or v2", http.StatusBadRequest)
)

Errors

View Source
var (
	ErrInvalidSecretID         = errAPI.Code("invalid_secret_id").StatusError("invalid secret id", http.StatusBadRequest)
	ErrInvalidDirID            = errAPI.Code("invalid_dir_id").StatusError("invalid directory id", http.StatusBadRequest)
	ErrAccessRuleAlreadyExists = errAPI.Code("access_rule_already_exists").StatusError("access rule already exists", http.StatusConflict)
	ErrAccessRuleNotFound      = errAPI.Code("access_rule_not_found").StatusError("access rule not found", http.StatusNotFound)
)

Errors

View Source
var (
	ErrInvalidSessionType = errAPI.Code("invalid_session_type").StatusError("invalid session type provided for authentication request", http.StatusBadRequest)
	ErrInvalidPayload     = errAPI.Code("invalid_payload").StatusError("invalid payload provided for authentication request", http.StatusBadRequest)
	ErrInvalidAuthMethod  = errAPI.Code("invalid_auth_method").StatusError("invalid auth method", http.StatusBadRequest)
	ErrMissingField       = errAPI.Code("missing_field").StatusErrorPref("request is missing field %s", http.StatusBadRequest)
	ErrSessionNotFound    = errAPI.Code("session_not_found").StatusError("session could not be found, it might have expired", http.StatusForbidden)
	ErrSessionExpired     = errAPI.Code("session_expired").StatusError("session has expired", http.StatusForbidden)
	ErrAuthFailed         = errAPI.Code("auth_failed").StatusError("authentication failed", http.StatusForbidden)
)

Errors

View Source
var (
	ErrCouldNotGetEndpoint   = errAPI.Code("aws_endpoint_not_found").StatusError("could not find an AWS endpoint for the provided region", http.StatusBadRequest)
	ErrAWSException          = errAPI.Code("aws_exception").StatusError("encountered an unexpected problem while verifying your identity on AWS. Please try again later.", http.StatusFailedDependency)
	ErrNoServiceWithRole     = errAPI.Code("no_service_with_role").StatusErrorPref("no service account found that is linked to the IAM role '%s'", http.StatusNotFound)
	ErrNoAWSCredentials      = errAPI.Code("missing_aws_credentials").StatusError("request was not signed with AWS credentials", http.StatusUnauthorized)
	ErrInvalidAWSCredentials = errAPI.Code("invalid_aws_credentials").StatusError("credentials were not accepted by AWS", http.StatusUnauthorized)
)

Errors

View Source
var (
	ErrInvalidGCPIDToken     = errAPI.Code("invalid_id_token").StatusError("provided id_token is invalid", http.StatusBadRequest)
	ErrNoGCPServiceWithEmail = errAPI.Code("no_service_with_email").StatusErrorPref("no service account found that is linked to the GCP Service Account %s'", http.StatusUnauthorized)
)

Errors

View Source
var (
	ErrUnknownAlgorithm  = errAPI.Code("unknown_algorithm").Error("algorithm of the encoded ciphertext is invalid")
	ErrInvalidCiphertext = errAPI.Code("invalid_ciphertext").Error("cannot encode invalid ciphertext")
	ErrInvalidMetadata   = errAPI.Code("invalid_metadata").Error("metadata of encrypted key is invalid")
)

Errors These will be removed after the next server-release, as they are then no longer returned from the server.

View Source
var (
	ErrInvalidFingerprint                 = errAPI.Code("invalid_fingerprint").StatusError("fingerprint is invalid", http.StatusBadRequest)
	ErrTooShortFingerprint                = errAPI.Code("too_short_fingerprint").StatusErrorf("at least %d characters of the fingerprint must be entered", http.StatusBadRequest, ShortCredentialFingerprintMinimumLength)
	ErrCredentialFingerprintNotUnique     = errAPI.Code("fingerprint_not_unique").StatusErrorf("there are multiple credentials that start with the given fingerprint. Please use the full fingerprint", http.StatusConflict)
	ErrInvalidVerifier                    = errAPI.Code("invalid_verifier").StatusError("verifier is invalid", http.StatusBadRequest)
	ErrInvalidCredentialType              = errAPI.Code("invalid_credential_type").StatusError("credential type is invalid", http.StatusBadRequest)
	ErrInvalidCredentialDescription       = errAPI.Code("invalid_credential_description").StatusError("credential description can be at most 32 characters long", http.StatusBadRequest)
	ErrInvalidAWSEndpoint                 = errAPI.Code("invalid_aws_endpoint").StatusError("invalid AWS endpoint provided", http.StatusBadRequest)
	ErrInvalidProof                       = errAPI.Code("invalid_proof").StatusError("invalid proof provided for credential", http.StatusUnauthorized)
	ErrAWSAccountMismatch                 = errAPI.Code("aws_account_mismatch").StatusError("the AWS Account ID in the role ARN does not match the AWS Account ID of the AWS credentials used for authentication. Make sure you are using AWS credentials that correspond to the role you are trying to add.", http.StatusUnauthorized)
	ErrAWSAuthFailed                      = errAPI.Code("aws_auth_failed").StatusError("authentication not accepted by AWS", http.StatusUnauthorized)
	ErrAWSKMSKeyNotFound                  = errAPI.Code("aws_kms_key_not_found").StatusError("could not found the KMS key", http.StatusNotFound)
	ErrInvalidRoleARN                     = errAPI.Code("invalid_role_arn").StatusError("provided role is not a valid ARN", http.StatusBadRequest)
	ErrMissingMetadata                    = errAPI.Code("missing_metadata").StatusErrorPref("expecting %s metadata provided for credentials of type %s", http.StatusBadRequest)
	ErrInvalidMetadataValue               = errAPI.Code("invalid_metadata").StatusErrorPref("invalid value for metadata %s: %s", http.StatusBadRequest)
	ErrUnknownMetadataKey                 = errAPI.Code("unknown_metadata_key").StatusErrorPref("unknown metadata key: %s", http.StatusBadRequest)
	ErrRoleDoesNotMatch                   = errAPI.Code("role_does_not_match").StatusError("role in metadata does not match the verifier", http.StatusBadRequest)
	ErrGCPServiceAccountEmailDoesNotMatch = errAPI.Code("service_account_email_mismatch").StatusError("service account email in metadata does not match the verifier", http.StatusBadRequest)
	ErrCannotDisableCurrentCredential     = errAPI.Code("cannot_disable_current_credential").StatusError("cannot disable the credential that is currently used on this device", http.StatusConflict)
)

Errors

View Source
var (
	ErrInvalidDirName = errAPI.Code("invalid_dir_name").StatusError(
		"directory names must be between 2 and 32 characters long and "+
			"may only contain letters, numbers, dashes (-), underscores (_), and dots (.)",
		http.StatusBadRequest,
	)
	ErrInvalidDirBlindName    = errAPI.Code("invalid_dir_blind_name").StatusErrorf("directory blind name is invalid: %s", http.StatusBadRequest, ErrInvalidBlindName)
	ErrInvalidParentBlindName = errAPI.Code("invalid_parent_blind_name").StatusErrorf("directory parent blind name is invalid: %s", http.StatusBadRequest, ErrInvalidBlindName)
)

Errors

View Source
var (
	ErrInvalidEncryptionAlgorithm    = errAPI.Code("invalid_encryption_algorithm").Error("invalid encryption algorithm provided")
	ErrInvalidKeyType                = errAPI.Code("invalid_key_type").Error("invalid key type")
	ErrKeyAlgorithmMismatch          = errAPI.Code("key_algorithm_mismatch").Error("mismatch between algorithm and key type")
	ErrInvalidKeyLength              = errAPI.Code("invalid_key_length").Error("key length value is invalid")
	ErrInvalidKeyDerivationAlgorithm = errAPI.Code("invalid_key_derivation_algorithm").Error("invalid key derivation algorithm")
)

Errors

View Source
var (
	ErrInvalidNonceLength      = errAPI.Code("invalid_nonce_length").Error("invalid nonce length provided")
	ErrInvalidHashingAlgorithm = errAPI.Code("invalid_hashing_algorithm").Error("invalid hashing algorithm provided")
)

Errors

View Source
var (
	ErrInvalidIDPLinkType          = errAPI.Code("invalid_idp_link_type").StatusError("invalid IDP link type", http.StatusBadRequest)
	ErrInvalidGCPProjectID         = errAPI.Code("invalid_gcp_project_id").StatusErrorPref("invalid GCP project ID: %s", http.StatusBadRequest)
	ErrVerifyingGCPAccessProof     = errAPI.Code("gcp_verification_error").StatusError("could not verify GCP authorization", http.StatusInternalServerError)
	ErrInvalidGCPAuthorizationCode = errAPI.Code("invalid_authorization_code").StatusError("authorization code was not accepted by GCP", http.StatusPreconditionFailed)
	ErrGCPLinkPermissionDenied     = errAPI.Code("gcp_permission_denied").StatusError("missing required projects.get permission to create link to GCP project", http.StatusPreconditionFailed)
)
View Source
var (
	ErrInvalidSecretPath       = errAPI.Code("invalid_secret_path").ErrorPref("secret path must be of the form <namespace>/<repo>[/<dir-path>]/<secret> got '%s'")
	ErrInvalidRepoPath         = errAPI.Code("invalid_repo_path").ErrorPref("repo path must be of the form <namespace>/<repo> got '%s'")
	ErrInvalidDirPath          = errAPI.Code("invalid_dir_path").ErrorPref("dir path must be of the form <namespace>/<repo>[/<dir-path>] got '%s'")
	ErrInvalidNamespace        = errAPI.Code("invalid_namespace").Error("namespace must be a valid username or organization name")
	ErrInvalidPath             = errAPI.Code("invalid_path").Error("path is not a reference to a namespace, a repository, a directory, or a secret")
	ErrInvalidPathType         = errAPI.Code("invalid_path_type").Error("using an unknown path type")
	ErrPathAlreadyHasVersion   = errAPI.Code("path_already_has_version").Error("this secret path already has a version")
	ErrPathHasNoVersion        = errAPI.Code("path_has_no_version").Error("this secret path requires a version")
	ErrParentPathOnInvalidPath = errAPI.Code("parent_path_on_invalid_path").ErrorPref("retrieving a parent path on an invalid path: %s")
)

Errors

View Source
var (
	ErrInvalidOrgName = errAPI.Code("invalid_org_name").StatusError(
		"organization names must be between 3 and 32 characters long and "+
			"may only contain letters, numbers, dashes (-), underscores (_), and dots (.)",
		http.StatusBadRequest,
	)
	ErrOrgNameMustContainAlphanumeric = errAPI.Code("org_name_must_contain_alphanumeric").StatusError(
		"organization names must contain at least one alphanumeric character ",
		http.StatusBadRequest,
	)
	ErrInvalidDescription = errAPI.Code("invalid_description").StatusError(
		"descriptions have a maximum length of 144 characters "+
			"and may only contain (special) letters, numbers, spaces, and punctuation characters",
		http.StatusBadRequest,
	)
	ErrInvalidBlindName     = errAPI.Code("invalid_blind_name").StatusError("The blind name is not a 256 bits string encoded with URL safe base64", http.StatusBadRequest)
	ErrInvalidDirPermission = errAPI.Code("invalid_dir_permission").StatusError(
		"directory permission may only consist of up to 3 unique letters r (read), w (write), and a (admin)",
		http.StatusBadRequest,
	)
	ErrInvalidDirRole = errAPI.Code("invalid_dir_role").StatusError(
		"directory roles must be either read, write, or admin",
		http.StatusBadRequest,
	)
	ErrInvalidCredentialFingerprint = errAPI.Code("invalid_credential_fingerprint").StatusError(
		"credential fingerprint must consist of 64 hexadecimal characters",
		http.StatusBadRequest,
	)

	ErrInvalidGCPServiceAccountEmail        = errAPI.Code("invalid_service_account_email").StatusError("not a valid GCP service account email", http.StatusBadRequest)
	ErrNotUserManagerGCPServiceAccountEmail = errAPI.Code("require_user_managed_service_account").StatusError("provided GCP service account email is not for a user-manager service account", http.StatusBadRequest)
	ErrInvalidGCPKMSResourceID              = errAPI.Code("invalid_key_resource_id").StatusError("not a valid resource ID, expected: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY", http.StatusBadRequest)
	ErrInvalidSetupCode                     = errAPI.Code("invalid_setup_code").StatusError("setup code starts with su- and is followed by groups of letters and numbers separated by dashes", http.StatusBadRequest)
)

Errors

View Source
var (
	ErrInvalidRepoName = errAPI.Code("invalid_repo_name").StatusError(
		"repo names must be between 1 and 32 characters long and "+
			"may only contain letters, numbers, dashes (-), underscores (_), and dots (.)",
		http.StatusBadRequest,
	)
	ErrInvalidRepoEncryptionKey        = errAPI.Code("invalid_repo_encryption_key").StatusError("repo encryption key is invalid", http.StatusBadRequest)
	ErrInvalidRepoIndexKey             = errAPI.Code("invalid_repo_index_key").StatusError("repo index key is invalid", http.StatusBadRequest)
	ErrInvalidAccountID                = errAPI.Code("invalid_account_id").StatusError("account id is invalid", http.StatusBadRequest)
	ErrInvalidSecretMemberAccountID    = errAPI.Code("invalid_secret_member_account_id").StatusError("account id of secret member does not correspond to the account id of the invited user", http.StatusBadRequest)
	ErrInvalidSecretKeyMemberAccountID = errAPI.Code("invalid_secret_key_member_account_id").StatusError("account id of secret key member does not correspond to the account id of the invited user", http.StatusBadRequest)
	ErrRepoMemberNotFound              = errAPI.Code("repo_member_not_found").StatusError("repo member not found", http.StatusNotFound)
	ErrNoRootDir                       = errAPI.Code("no_root_dir").StatusError("there is no create dir request for the root directory", http.StatusBadRequest)
	ErrNoRepoMember                    = errAPI.Code("no_repo_member").StatusError("there is no create repo member request for the root directory", http.StatusBadRequest)
)

Errors

View Source
var (
	ErrInvalidSecretName = errAPI.Code("invalid_secret_name").StatusError(
		"secret names must be between 1 and 32 characters and "+
			"may only contain letters, numbers, dashes (-), underscores (_), and dots (.)",
		http.StatusBadRequest,
	)

	ErrInvalidSecretVersion = errAPI.Code("invalid_secret_version").StatusError(
		"secret version can only be positive numbers or latest",
		http.StatusBadRequest,
	)

	ErrInvalidNodeID              = errAPI.Code("invalid_node_id").StatusError("the node id is invalid", http.StatusBadRequest)
	ErrInvalidEncryptedSecretName = errAPI.Code("invalid_encrypted_secret_name").StatusError("invalid ciphertext for encrypted secret name", http.StatusBadRequest)
	ErrInvalidSecretBlindName     = errAPI.Code("invalid_secret_blind_name").StatusError("secret blind name is invalid", http.StatusBadRequest)
	ErrInvalidSecretBlob          = errAPI.Code("invalid_secret_blob").StatusError("secret blob is invalid", http.StatusBadRequest)
	ErrNoSecretMembers            = errAPI.Code("no_secret_members").StatusError("no secret members added to write request", http.StatusBadRequest)

	ErrInvalidSecretKeyID              = errAPI.Code("invalid_secret_key_id").StatusError("secret_key_id is invalid", http.StatusBadRequest)
	ErrNotEncryptedForAccounts         = errAPI.Code("not_encrypted_for_accounts").StatusError("missing data encrypted for accounts. This can occur when access rules are simultaneously created with resources controlled by the access rule. You may try again.", http.StatusConflict)
	ErrNotUniquelyEncryptedForAccounts = errAPI.Code("not_uniquely_encrypted_for_accounts").StatusError("not uniquely encrypted for accounts", http.StatusBadRequest)

	ErrCannotDeleteLastSecretVersion = errAPI.Code("cannot_delete_last_version").StatusError("Cannot delete the last version of a secret", http.StatusForbidden)
)

Errors

View Source
var (

	// General
	ErrNotFound                  = errHub.Code("not_found").StatusError("Not found", http.StatusNotFound)
	ErrValidationFailed          = errHub.Code("validation_failed").StatusError("Validation errors", http.StatusExpectationFailed)
	ErrBadRequest                = errHub.Code("bad_request").StatusError("Bad request", http.StatusBadRequest)
	ErrTimeout                   = errHub.Code("timeout").StatusError("Timeout", http.StatusInternalServerError)
	ErrUnknownMethod             = errHub.Code("method_not_supported").StatusError("Method not supported", http.StatusNotImplemented)
	ErrDomainNotFound            = errHub.Code("domain_not_found").StatusError("Domain not found", http.StatusNotFound)
	ErrForbidden                 = errAPI.Code("forbidden").StatusError("You are not allowed to perform this action", http.StatusForbidden)
	ErrRequestNotAuthenticated   = errAPI.Code("not_authenticated").StatusError("Request was not authenticated. Please ensure that the client has access to a credential or that an identity provider is configured correctly.", http.StatusUnauthorized)
	ErrNoAccountKeyForCredential = errAPI.Code("no_account_key_for_credential").StatusError("Could not find account-key for credential used for authentication.", http.StatusInternalServerError)
	ErrCannotPerformActionOnSelf = errAPI.Code("cannot_perform_action_on_self").StatusError("You cannot perform this action on yourself", http.StatusForbidden)
	ErrYourAccountNotKeyed       = errAPI.Code("account_not_keyed").StatusError("Your account has not been fully initialized", http.StatusBadRequest)

	// DB
	ErrDatabaseRecordAlreadyExists = errHub.Code("already_exists").StatusError("Already exists", http.StatusConflict)

	// Namespaces
	ErrNamespaceNotFound                      = errAPI.Code("namespace_not_found").StatusError("Namespace not found", http.StatusNotFound)
	ErrNamespaceAlreadyExists                 = errAPI.Code("namespace_already_exists").StatusError("this name already exists", http.StatusConflict)
	ErrCannotPerformActionOnPersonalNamespace = errAPI.Code("not_allowed_on_personal_namespace").StatusError("you cannot perform this action on a personal namespace", http.StatusForbidden)

	// Auth
	ErrAccountIncomplete    = errHub.Code("account_incomplete").StatusError("This account is not registered, please create a user first", http.StatusForbidden)
	ErrTokenNotVerified     = errHub.Code("token_not_verified").StatusError("Token not verified", http.StatusUnauthorized)
	ErrPasswordTooWeak      = errHub.Code("password_too_weak").StatusError("The password must be longer than 8 characters", http.StatusBadRequest)
	ErrSignatureNotVerified = errHub.Code("invalid_signature").StatusError("request was not signed by a valid credential", http.StatusUnauthorized)

	// Repos
	ErrRepoNotFound      = errHub.Code("repo_not_found").StatusErrorPref("Repo '%s' not found", http.StatusNotFound)
	ErrRepoAlreadyExists = errHub.Code("repo_already_exists").StatusError("Repo already exists, please create a different repo", http.StatusConflict)

	// Dirs
	ErrDirAlreadyExists    = errHub.Code("dir_already_exists").StatusError("Directory or secret already exists, create a different directory", http.StatusConflict)
	ErrDirNotFound         = errHub.Code("dir_not_found").StatusError("Directory not found", http.StatusNotFound)
	ErrParentDirNotFound   = errHub.Code("parent_dir_not_found").StatusError("Parent directory not found", http.StatusNotFound)
	ErrCannotRemoveRootDir = errHub.Code("cannot_remove_root_dir").StatusError("Root directory of a repository cannot be removed, remove the repository instead", http.StatusBadRequest)

	// Secrets
	ErrSecretAlreadyExists   = errHub.Code("secret_already_exists").StatusError("Secret or directory already exists, please update or create a different secret", http.StatusConflict)
	ErrSecretNotFound        = errHub.Code("secret_not_found").StatusError("Secret not found", http.StatusNotFound)
	ErrSecretVersionNotFound = errHub.Code("version_not_found").StatusError("Version of secret not found", http.StatusNotFound)
	ErrSecretKeyNotFound     = errHub.Code("secret_key_not_found").StatusError("Key for secret not found", http.StatusNotFound)

	// Secret Keys
	ErrSecretKeyFlagged = errAPI.Code("secret_key_flagged").StatusError(fmt.Sprintf("Cannot write new secrets with a key that has status %s", StatusFlagged), http.StatusBadRequest)
	ErrNoOKSecretKey    = errAPI.Code("no_secret_key_found_with_status_ok").StatusError(fmt.Sprintf("No secret key found with status %s", StatusOK), http.StatusNotFound)

	// Organization
	ErrOrgAlreadyExists         = errAPI.Code("org_already_exists").StatusError("Organization already exists, please create a different organization", http.StatusConflict)
	ErrOrgNotFound              = errAPI.Code("org_not_found").StatusError("Organization not found", http.StatusNotFound)
	ErrOrgMemberNotFound        = errAPI.Code("org_member_not_found").StatusError("Organization member not found", http.StatusNotFound)
	ErrOrgMemberAlreadyExists   = errAPI.Code("org_member_already_exists").StatusError("Organization member already exists", http.StatusConflict)
	ErrInvalidOrgRole           = errAPI.Code("invalid_org_role").StatusError("Organization role is invalid. Must be either `admin` or `member`", http.StatusBadRequest)
	ErrCannotRemoveLastOrgAdmin = errAPI.Code("cannot_remove_last_org_admin").StatusError("The last admin of an organization cannot be removed.", http.StatusForbidden)

	// User
	ErrUserEmailAlreadyExists = errHub.Code("user_email_already_exists").StatusError("That email address is already in use", http.StatusConflict)
	ErrUsernameAlreadyExists  = errHub.Code("username_already_exists").StatusError("A user with the given username already exists, please choose a different username", http.StatusConflict)
	ErrUserNotFound           = errHub.Code("user_not_found").StatusError("User not found, please verify username", http.StatusNotFound)
	ErrNotAUser               = errHub.Code("not_a_user").StatusError("Only users can perform this action", http.StatusForbidden)
	ErrNotOwner               = errHub.Code("not_owner").StatusError("Only repo owners can perform this action", http.StatusForbidden)
	ErrCannotAddYourself      = errHub.Code("cannot_add_self").StatusError("You cannot add yourself to your repo", http.StatusForbidden)
	ErrCannotRemoveYourself   = errHub.Code("cannot_remove_self").StatusError("You cannot remove yourself from your repo", http.StatusForbidden)

	// Service
	ErrServiceNotFound      = errHub.Code("service_not_found").StatusError("Service not found", http.StatusNotFound)
	ErrAccountIsNotService  = errHub.Code("not_a_service").StatusError("Account name does not represent a service", http.StatusBadRequest)
	ErrServiceAlreadyExists = errHub.Code("service_already_exists").StatusError("Service already exists, please create a different service", http.StatusConflict)
	ErrNoAdminAccess        = errHub.Code("no_admin_access").StatusError("Only accounts with Admin access can perform this action", http.StatusForbidden)
	ErrMemberAlreadyExists  = errHub.Code("member_already_exists").StatusError("The member already exists", http.StatusConflict)

	// AWS IdP
	ErrAWSRoleAlreadyTaken = errHub.Code("aws_role_taken").StatusError("a service account coupled to that IAM role already exists. Delete the existing service account or create a new one using a different IAM role.", http.StatusConflict)

	// GCP IdP
	ErrGCPServiceAccountAlreadyTaken = errHub.Code("gcp_service_account_taken").StatusError("a SecretHub service account coupled to that GCP Service Account email already exists. Delete the existing SecretHub service account or create a new one using a different GCP Service Account email.", http.StatusConflict)

	// Account
	ErrAccountNotFound    = errHub.Code("account_not_found").StatusError("Account not found", http.StatusNotFound)
	ErrUnknownSubjectType = errHub.Code("unknown_subject_type").Error("Unknown subject type") // no status error because it is an internal error
	ErrUnknownAccountType = errHub.Code("unknown_account_type").Error("Unknown account type") // no status error because it is an internal error
	ErrNotMemberOfRepo    = errHub.Code("not_repo_member").StatusError("Account is not a member of the repo", http.StatusBadRequest)

	// Credential
	ErrCredentialNotFound      = errHub.Code("credential_not_found").StatusError("Credential not found", http.StatusNotFound)
	ErrCredentialAlreadyExists = errHub.Code("credential_already_exists").StatusError("A credential with the given identifier already exists", http.StatusConflict)

	// Account key
	ErrPublicAccountKeyConflict = errHub.Code("public_account_key_does_not_match").StatusError("A different public account key is already registered for this account", http.StatusConflict)
	ErrPrivateKeyAlreadyExists  = errHub.Code("private_key_already_exists").StatusError("A private key for this credential already exists.", http.StatusConflict)
	ErrCredentialNotKeyed       = errHub.Code("credential_not_keyed").StatusError("The account key has not been encrypted for this credential", http.StatusNotFound)

	// Dirs
	ErrCannotRemoveLastRootAdmin = errHub.Code("cannot_remove_last_root_admin").StatusError("Cannot remove the last admin on the repo root", http.StatusBadRequest)
)

Errors returned by the SecretHub API

View Source
var (
	ErrInvalidServiceID = errAPI.Code("invalid_service_id").StatusError(
		"service id is 14 characters long and starts with s-",
		http.StatusBadRequest,
	)
	ErrInvalidServiceDescription = errAPI.Code("invalid_service_description").StatusError(
		fmt.Sprintf(
			"service descriptions can at most be %d long and cannot contain any newlines or tabs",
			serviceDescriptionMaxLength,
		),
		http.StatusBadRequest,
	)
	ErrAccessDeniedToKMSKey = errAPI.Code("access_denied").StatusError("access to KMS key is denied", http.StatusForbidden)
)

Errors

View Source
var (
	ErrParentDirNotAvailable = errAPI.Code("parent_dir_not_available").StatusError("the parent directory is not available in EncryptedTree", http.StatusInternalServerError)
	ErrMultipleRootDirs      = errAPI.Code("multiple_root_dirs").StatusError("there are multiple root directories possible", http.StatusInternalServerError)
)

Errors

View Source
var (
	ErrInvalidUsername = errAPI.Code("invalid_username").StatusError(
		"usernames must be between 3 and 32 characters long and "+
			"may only contain letters, numbers, dashes (-), underscores (_), and dots (.)",
		http.StatusBadRequest,
	)
	ErrUsernameMustContainAlphanumeric = errAPI.Code("username_must_contain_alphanumeric").StatusError(
		"usernames must contain at least one alphanumeric character ",
		http.StatusBadRequest,
	)
	ErrUsernameIsService = errAPI.Code("username_is_service").StatusError(
		"usernames cannot start with s- as that prefix is reserved for service accounts",
		http.StatusBadRequest,
	)
	ErrInvalidPublicKey = errAPI.Code("invalid_public_key").StatusError("public key is invalid", http.StatusBadRequest)
	ErrInvalidEmail     = errAPI.Code("invalid_email").StatusError("email address is invalid", http.StatusBadRequest)
	ErrInvalidFullName  = errAPI.Code("invalid_full_name").StatusError(
		"full names may be at most 128 characters long and "+
			"may only contain (special) letters, apostrophes ('), spaces and dashes (-)",
		http.StatusBadRequest,
	)
	ErrNoPasswordNorCredential     = errAPI.Code("no_password_nor_credential").StatusError("either a password or a credential should be supplied", http.StatusBadRequest)
	ErrTooManyVerificationRequests = errAPI.Code("too_many_verification_requests").StatusError("another verification email was requested recently, please wait a few minutes before trying again", http.StatusTooManyRequests)
)

Errors

View Source
var (
	ErrAccessLevelUnknown = errAPI.Code("access_level_unknown").Error("The access level is not known")
)

Error

View Source
var (
	ErrEncryptedDataTooBig = errAPI.Code("encrypted_data_too_big").Error(fmt.Sprintf("maximum size of encrypted data is %s", units.BytesSize(MaxEncryptedSecretSize)))
)

Errors

Functions

func GetFingerprint added in v0.21.0

func GetFingerprint(t CredentialType, verifier []byte) string

GetFingerprint returns the fingerprint of a credential.

func Int added in v0.21.0

func Int(val int) *int

Int converts an int into a *int.

func IntValue added in v0.21.0

func IntValue(val *int) int

IntValue safely converts a *int into an int.

func IsErrDisabled added in v0.30.0

func IsErrDisabled(err error) bool

IsErrDisabled returns whether the given error is caused because the feature is disabled.

func IsErrNotFound added in v0.21.0

func IsErrNotFound(err error) bool

IsErrNotFound returns whether the given error is caused by a un-existing resource.

func IsKnownError added in v0.30.0

func IsKnownError(err error) bool

IsKnownError returns whether the given error is a known SecretHub error.

func JoinPaths added in v0.21.0

func JoinPaths(components ...string) string

JoinPaths joins any number of path elements into a single path.

func ProjectIDFromGCPEmail added in v0.30.0

func ProjectIDFromGCPEmail(in string) (string, error)

ProjectIDFromGCPEmail returns the project ID included in the email of a GCP Service Account. If the input is not a valid user-managed GCP Service Account email, an error is returned.

func String added in v0.21.0

func String(val string) *string

String converts a string into a *string.

func StringValue added in v0.21.0

func StringValue(val *string) string

StringValue safely converts a *string into a string.

func ValidateAccountName

func ValidateAccountName(name string) error

ValidateAccountName validates an AcccountName.

func ValidateBlindName

func ValidateBlindName(blindName string) error

ValidateBlindName validates a blind name.

func ValidateCredentialDescription added in v0.25.0

func ValidateCredentialDescription(description string) error

ValidateCredentialDescription validates the description for a credential.

func ValidateCredentialFingerprint added in v0.25.0

func ValidateCredentialFingerprint(fingerprint string) error

ValidateCredentialFingerprint validates whether the given string is a valid credential fingerprint.

func ValidateDirPath

func ValidateDirPath(path string) error

ValidateDirPath validates a dir path of form :owner/:repo_name/[parents/]*:directory

func ValidateEmail

func ValidateEmail(email string) error

ValidateEmail validates an email address.

func ValidateFullName

func ValidateFullName(fullName string) error

ValidateFullName validates a user's full name.

func ValidateGCPKMSKeyResourceID added in v0.29.0

func ValidateGCPKMSKeyResourceID(v string) error

ValidateGCPKMSKeyResourceID validates whether the given string is potentially a valid resource ID for a GCP KMS key The function does a best-effort check. If no error is returned, this does not mean the value is accepted by GCP.

func ValidateGCPProjectID added in v0.30.0

func ValidateGCPProjectID(projectID string) error

ValidateGCPProjectID returns an error if the provided value is not a valid GCP project ID.

func ValidateGCPUserManagedServiceAccountEmail added in v0.30.0

func ValidateGCPUserManagedServiceAccountEmail(v string) error

ValidateGCPUserManagedServiceAccountEmail validates whether the given string is potentially a valid email for a user-managed GCP Service Account. The function does a best-effort check. If no error is returned, this does not mean the value is accepted by GCP.

func ValidateLinkedID added in v0.30.0

func ValidateLinkedID(linkType IdentityProviderLinkType, linkedID string) error

ValidateLinkedID calls the validation function corresponding to the link type and returns the corresponding result.

func ValidateNamespace

func ValidateNamespace(namespace string) error

ValidateNamespace validates a username.

func ValidateOrgDescription

func ValidateOrgDescription(description string) error

ValidateOrgDescription validates an organization description.

func ValidateOrgName

func ValidateOrgName(name string) error

ValidateOrgName validates an organization name.

func ValidateOrgRole

func ValidateOrgRole(role string) error

ValidateOrgRole validates an organization role.

func ValidateRepoName

func ValidateRepoName(name string) error

ValidateRepoName validates a repo name.

func ValidateRepoPath

func ValidateRepoPath(path string) error

ValidateRepoPath validates a repo path of form :owner/:repo_name

func ValidateSecretName

func ValidateSecretName(name string) error

ValidateSecretName validates a secret name.

func ValidateSecretPath

func ValidateSecretPath(path string) error

ValidateSecretPath validates a secret path of form :owner/:repo_name/:secretname

func ValidateServiceDescription

func ValidateServiceDescription(description string) error

ValidateServiceDescription validates a service description.

func ValidateServiceID

func ValidateServiceID(serviceID string) error

ValidateServiceID validates a service id.

func ValidateSetupCode added in v0.31.0

func ValidateSetupCode(code string) error

ValidateSetupCode checks whether the given string has the format of a valid setup code.

func ValidateShortCredentialFingerprint added in v0.25.0

func ValidateShortCredentialFingerprint(fingerprint string) error

ValidateShortCredentialFingerprint validates whether the given string can be used as a short version of a credential fingerprint.

func ValidateUsername

func ValidateUsername(username string) error

ValidateUsername validates a username.

Types

type AccessLevel

type AccessLevel struct {
	Account    *Account   `json:"account"`
	AccountID  uuid.UUID  `json:"account_id"`
	DirID      uuid.UUID  `json:"dir_id"`
	Permission Permission `json:"permission"`
}

AccessLevel defines the permissions of an account on a directory and is the effect of one or more access rules on the directory itself or its parent(s).

type AccessRule

type AccessRule struct {
	Account       *Account   `json:"account"`
	AccountID     uuid.UUID  `json:"account_id"`
	DirID         uuid.UUID  `json:"dir_id"`
	RepoID        uuid.UUID  `json:"repo_id"`
	Permission    Permission `json:"permission"`
	CreatedAt     time.Time  `json:"created_at"`
	LastChangedAt time.Time  `json:"last_changed_at"`
}

AccessRule defines the permission of an account on a directory and its children.

type Account

type Account struct {
	AccountID   uuid.UUID   `json:"account_id"`
	Name        AccountName `json:"name"`
	PublicKey   []byte      `json:"public_key"`
	AccountType string      `json:"account_type"`
	CreatedAt   time.Time   `json:"created_at"`
}

Account represents an account on SecretHub.

type AccountName

type AccountName string

AccountName represents the name of either a user or a service.

func NewAccountName

func NewAccountName(name string) (AccountName, error)

NewAccountName validates an account's name and returns it as a typed AccountName when valid.

func (AccountName) IsService

func (n AccountName) IsService() bool

IsService returns true if the AccountName contains the name of a service.

func (AccountName) IsUser

func (n AccountName) IsUser() bool

IsUser returns true if the AccountName contains the name of a user.

func (*AccountName) Set

func (n *AccountName) Set(value string) error

Set sets the AccountName to the value.

func (AccountName) String

func (n AccountName) String() string

String returns the account's name as a string to be used for printing.

func (AccountName) Validate

func (n AccountName) Validate() error

Validate checks whether an AccountName is valid.

func (AccountName) Value

func (n AccountName) Value() string

Value returns the account's name as a string to be used in communication with the client and in transportation to the server.

type Audit

type Audit struct {
	EventID   uuid.UUID    `json:"event_id"`
	Action    AuditAction  `json:"action"`
	IPAddress string       `json:"ip_address"`
	LoggedAt  time.Time    `json:"logged_at"`
	Repo      Repo         `json:"repo"`
	Actor     AuditActor   `json:"actor"`
	Subject   AuditSubject `json:"subject"`
}

Audit represents an AuditEvent in SecretHub.

type AuditAction

type AuditAction string

AuditAction represents the action that was performed to create this audit event.

const (
	AuditActionUnknown AuditAction = "unknown"
	AuditActionCreate  AuditAction = "create"
	AuditActionRead    AuditAction = "read"
	AuditActionUpdate  AuditAction = "update"
	AuditActionDelete  AuditAction = "delete"
)

AuditAction values.

type AuditActor

type AuditActor struct {
	ActorID uuid.UUID `json:"id,omitempty"`
	Deleted bool      `json:"deleted,omitempty"`
	// Type is `user` or `service`. When actor is deleted, type is always `account`
	Type    string   `json:"type"`
	User    *User    `json:"user,omitempty"`
	Service *Service `json:"service,omitempty"`
}

AuditActor represents the Account of an AuditEvent

type AuditSubject

type AuditSubject struct {
	SubjectID uuid.UUID `json:"id,omitempty"`
	Deleted   bool      `json:"deleted,omitempty"`
	// Type is `user`, `service`, `repo`, `secret`, `secret_version` or `secret_key`. When subject is deleted, user and service are indicated with type `account`
	Type                   AuditSubjectType        `json:"type"`
	User                   *User                   `json:"user,omitempty"`
	Service                *Service                `json:"service,omitempty"`
	Repo                   *Repo                   `json:"repo,omitempty"`
	EncryptedSecret        *EncryptedSecret        `json:"encrypted_secret,omitempty"` // This is converted to a Secret by the Client.
	Secret                 *Secret                 `json:"secret,omitempty"`
	EncryptedSecretVersion *EncryptedSecretVersion `json:"encrypted_secret_version,omitempty"` // This is converted to a SecretVersion by the Client.
	SecretVersion          *SecretVersion          `json:"secret_version,omitempty"`
}

AuditSubject represents the Subject of an AuditEvent

type AuditSubjectType

type AuditSubjectType string

AuditSubjectType represents the type of an audit subject.

type AuditSubjectTypeList

type AuditSubjectTypeList []AuditSubjectType

AuditSubjectTypeList represents a list of AuditSubjectTypes.

func (AuditSubjectTypeList) Join

func (l AuditSubjectTypeList) Join(separator string) string

Join converts an AuditSubjectTypeList to a string where each AuditSubjectType is separated by separator.

type AuthPayloadAWSSTS added in v0.21.0

type AuthPayloadAWSSTS struct {
	Region  string `json:"region"`
	Request []byte `json:"request"`
}

AuthPayloadAWSSTS is the authentication payload used for authenticating with AWS STS.

func (AuthPayloadAWSSTS) Validate added in v0.21.0

func (pl AuthPayloadAWSSTS) Validate() error

Validate whether the AuthPayloadAWSSTS is valid.

type AuthPayloadGCPServiceAccount added in v0.29.0

type AuthPayloadGCPServiceAccount struct {
	IDToken string `json:"id_token"`
}

AuthPayloadGCPServiceAccount is the authentication payload used for authenticating with a GCP Service Account.

func (AuthPayloadGCPServiceAccount) Validate added in v0.29.0

func (pl AuthPayloadGCPServiceAccount) Validate() error

type AuthRequest added in v0.21.0

type AuthRequest struct {
	Method      string      `json:"method"`
	SessionType SessionType `json:"session_type"`
	Payload     interface{} `json:"payload"`
}

AuthRequest is a request to authenticate and request a session.

func NewAuthRequestAWSSTS added in v0.21.0

func NewAuthRequestAWSSTS(sessionType SessionType, region string, stsRequest []byte) AuthRequest

NewAuthRequestAWSSTS returns a new AuthRequest for authentication using AWS STS.

func NewAuthRequestGCPServiceAccount added in v0.29.0

func NewAuthRequestGCPServiceAccount(sessionType SessionType, idToken string) AuthRequest

NewAuthRequestGCPServiceAccount returns a new AuthRequest for authentication using a GCP Service Account.

func (*AuthRequest) UnmarshalJSON added in v0.21.0

func (r *AuthRequest) UnmarshalJSON(b []byte) error

UnmarshalJSON converts a JSON representation into a AuthRequest with the correct Payload.

func (*AuthRequest) Validate added in v0.21.0

func (r *AuthRequest) Validate() error

Validate whether an AuthRequest is a valid request.

type BlindNamePath

type BlindNamePath interface {
	// BlindName returns the blindname corresponding to this path.
	BlindName(key *crypto.SymmetricKey) (string, error)
	// GetRepoPath returns the RepoPath inside this BlindNamePath.
	GetRepoPath() RepoPath
}

BlindNamePath represents a path that can be converted into a BlindName and exposes the necessary functions.

type CreateAccessRuleRequest

type CreateAccessRuleRequest struct {
	Permission       Permission                    `json:"permission"`
	EncryptedDirs    []EncryptedNameForNodeRequest `json:"encrypted_dirs"`
	EncryptedSecrets []SecretAccessRequest         `json:"encrypted_secrets"`
}

CreateAccessRuleRequest contains the request fields for creating an AccessRule.

func (*CreateAccessRuleRequest) Validate

func (car *CreateAccessRuleRequest) Validate() error

Validate validates the request fields.

type CreateAccountKeyRequest

type CreateAccountKeyRequest struct {
	EncryptedPrivateKey *EncryptedData `json:"encrypted_private_key"`
	PublicKey           []byte         `json:"public_key"`
}

CreateAccountKeyRequest contains the fields to add an account_key encrypted for a credential.

func (CreateAccountKeyRequest) Validate

func (req CreateAccountKeyRequest) Validate() error

Validate checks whether the request is valid.

type CreateCredentialRequest

type CreateCredentialRequest struct {
	Type        CredentialType           `json:"type"`
	Fingerprint string                   `json:"fingerprint"`
	Description *string                  `json:"name,omitempty"`
	Verifier    []byte                   `json:"verifier"`
	Proof       interface{}              `json:"proof"`
	Metadata    map[string]string        `json:"metadata"`
	AccountKey  *CreateAccountKeyRequest `json:"account_key,omitempty"`
}

CreateCredentialRequest contains the fields to add a credential to an account.

func (req *CreateCredentialRequest) RequiredIDPLink() (IdentityProviderLinkType, string, error)

RequiredIDPLink can be used if the credential requires an IDP Link to exist before creation. It returns the link type and the linked ID if a link is required. It returns empty strings if no link is required for the credential type.

func (*CreateCredentialRequest) UnmarshalJSON added in v0.21.0

func (req *CreateCredentialRequest) UnmarshalJSON(b []byte) error

UnmarshalJSON converts a JSON representation into a CreateCredentialRequest with the correct Proof.

func (*CreateCredentialRequest) Validate

func (req *CreateCredentialRequest) Validate() error

Validate validates the request fields.

type CreateDirRequest

type CreateDirRequest struct {
	BlindName       string `json:"blind_name"`
	ParentBlindName string `json:"parent_blind_name"`

	EncryptedNames []EncryptedNameRequest `json:"encrypted_names"`
}

CreateDirRequest contains the request fields for creating a new directory.

func (*CreateDirRequest) Validate

func (cdr *CreateDirRequest) Validate() error

Validate validates the CreateDirRequest to be valid.

type CreateIdentityProviderLinkGCPRequest added in v0.30.0

type CreateIdentityProviderLinkGCPRequest struct {
	RedirectURL       string `json:"redirect_url"`
	AuthorizationCode string `json:"authorization_code"`
}

type CreateOrgMemberRequest

type CreateOrgMemberRequest struct {
	Username string `json:"username"`
	Role     string `json:"role"`
}

CreateOrgMemberRequest contains the required fields for creating a user's organization membership.

func (CreateOrgMemberRequest) Validate

func (req CreateOrgMemberRequest) Validate() error

Validate validates the request fields.

type CreateOrgRequest

type CreateOrgRequest struct {
	Name        string `json:"name"`
	Description string `json:"description"`
}

CreateOrgRequest contains the required fields for creating an organization.

func (CreateOrgRequest) Validate

func (req CreateOrgRequest) Validate() error

Validate validates the request fields.

type CreateRepoMemberRequest

type CreateRepoMemberRequest struct {
	RepoEncryptionKey []byte `json:"repo_encryption_key"`
	RepoIndexKey      []byte `json:"repo_index_key"`
}

CreateRepoMemberRequest contains the required fields for adding a user to a repo.

func (CreateRepoMemberRequest) Validate

func (req CreateRepoMemberRequest) Validate() error

Validate validates a CreateRepoMemberRequests

type CreateRepoRequest

type CreateRepoRequest struct {
	Name       string                   `json:"name"`
	RootDir    *CreateDirRequest        `json:"root_dir"`
	RepoMember *CreateRepoMemberRequest `json:"repo_member"`
}

CreateRepoRequest contains the required fields for a Repo.

func (CreateRepoRequest) Validate

func (crr CreateRepoRequest) Validate() error

Validate validates the request fields.

type CreateSecretKeyRequest

type CreateSecretKeyRequest struct {
	EncryptedFor []EncryptedKeyRequest `json:"encrypted_for"`
}

CreateSecretKeyRequest contains the request fields for creating a new secret key.

func (*CreateSecretKeyRequest) Validate

func (r *CreateSecretKeyRequest) Validate() error

Validate validates the request fields.

type CreateSecretRequest

type CreateSecretRequest struct {
	BlindName     string               `json:"blind_name"`
	EncryptedData crypto.CiphertextAES `json:"encrypted_data"`

	EncryptedNames []EncryptedNameRequest `json:"encrypted_names"`
	EncryptedKeys  []EncryptedKeyRequest  `json:"encrypted_keys"`
}

CreateSecretRequest contains the request fields for creating a new secret, together with its first version, encrypted for accounts that need access.

func (*CreateSecretRequest) Validate

func (csr *CreateSecretRequest) Validate() error

Validate validates the request fields.

type CreateSecretVersionRequest

type CreateSecretVersionRequest struct {
	EncryptedData crypto.CiphertextAES `json:"encrypted_data"`
	SecretKeyID   uuid.UUID            `json:"secret_key_id"`
}

CreateSecretVersionRequest contains the request fields for creating a secret version with a secret key.

func (*CreateSecretVersionRequest) Validate

func (csvr *CreateSecretVersionRequest) Validate() error

Validate validates the request fields.

type CreateServiceRequest

type CreateServiceRequest struct {
	Description string                   `json:"description"`
	Credential  *CreateCredentialRequest `json:"credential"`
	RepoMember  *CreateRepoMemberRequest `json:"repo_member"`
}

CreateServiceRequest contains the required fields for creating an Service.

func (CreateServiceRequest) Validate

func (req CreateServiceRequest) Validate() error

Validate validates the request fields.

type Credential

type Credential struct {
	AccountID   uuid.UUID         `json:"account_id"`
	Type        CredentialType    `json:"type"`
	CreatedAt   time.Time         `json:"created_at"`
	Fingerprint string            `json:"fingerprint"`
	Description string            `json:"description"`
	Verifier    []byte            `json:"verifier"`
	Metadata    map[string]string `json:"metadata,omitempty"`
	Enabled     bool              `json:"enabled"`
}

Credential is used to authenticate to the API and to encrypt the account key.

type CredentialProofAWS added in v0.21.0

type CredentialProofAWS struct {
	Region  string `json:"region"`
	Request []byte `json:"request"`
}

CredentialProofAWS is proof for when the credential type is AWSSTS.

func (CredentialProofAWS) Validate added in v0.21.0

func (p CredentialProofAWS) Validate() error

Validate whether the CredentialProofAWS is valid.

type CredentialProofBackupCode added in v0.25.0

type CredentialProofBackupCode struct{}

CredentialProofBackupCode is proof for when the credential type is backup key.

type CredentialProofGCPServiceAccount added in v0.29.0

type CredentialProofGCPServiceAccount struct{}

CredentialProofKey is proof for when the credential type is GCPServiceAccount.

type CredentialProofKey added in v0.21.0

type CredentialProofKey struct{}

CredentialProofKey is proof for when the credential type is RSA.

type CredentialType

type CredentialType string

CredentialType is used to identify the type of algorithm that is used for a credential.

const (
	CredentialTypeKey               CredentialType = "key"
	CredentialTypeAWS               CredentialType = "aws"
	CredentialTypeBackupCode        CredentialType = "backup-code"
	CredentialTypeGCPServiceAccount CredentialType = "gcp-service-account"
)

Credential types

type Dir

type Dir struct {
	DirID          uuid.UUID  `json:"dir_id"`
	BlindName      string     `json:"blind_name"`
	Name           string     `json:"name"`
	ParentID       *uuid.UUID `json:"parent_id"`
	Status         string     `json:"status"`
	CreatedAt      time.Time  `json:"created_at"`
	LastModifiedAt time.Time  `json:"last_modified_at"`
	SubDirs        []*Dir     `json:"sub_dirs"`
	Secrets        []*Secret  `json:"secrets"`
}

Dir represents an directory. A dir belongs to a repo and contains other dirs and secrets.

type DirPath

type DirPath ParentPath

DirPath is a parse for dir paths of form :owner/:repo_name/[parents/]*:directory

func NewDirPath

func NewDirPath(path string) (DirPath, error)

NewDirPath formats a RepoPath from an owner, repo string.

func (DirPath) BlindName

func (dp DirPath) BlindName(key *crypto.SymmetricKey) (string, error)

BlindName returns the blind name of the DirPath.

func (DirPath) GetDirName

func (dp DirPath) GetDirName() string

GetDirName returns the dir name.

func (DirPath) GetNamespace

func (dp DirPath) GetNamespace() string

GetNamespace returns the namespace of the Repo.

func (DirPath) GetParentPath

func (dp DirPath) GetParentPath() (ParentPath, error)

GetParentPath returns the parent of the directory.

func (DirPath) GetRepo

func (dp DirPath) GetRepo() string

GetRepo returns the name of the Repo.

func (DirPath) GetRepoPath

func (dp DirPath) GetRepoPath() RepoPath

GetRepoPath returns the namespace and repo name of the Repo.

func (DirPath) HasParentDirectory

func (dp DirPath) HasParentDirectory() bool

HasParentDirectory returns if the DirPath has a parent directory.

func (DirPath) IsRepoPath

func (dp DirPath) IsRepoPath() bool

IsRepoPath returns if the dir path is on repo level.

func (DirPath) JoinDir

func (dp DirPath) JoinDir(dirName string) DirPath

JoinDir constructs a new DirPath combined by the dirPath and dirName.

func (DirPath) JoinSecret

func (dp DirPath) JoinSecret(secretName string) SecretPath

JoinSecret constructs a new SecretPath combined by the dirPath and dirName.

func (*DirPath) Set

func (dp *DirPath) Set(value string) error

Set implements the flag.Value interface and validates the value.

func (DirPath) String

func (dp DirPath) String() string

String returns the dir path as a string to be used for printing.

func (DirPath) Validate

func (dp DirPath) Validate() error

Validate validates a dir path of form :owner/:repo_name/[parents/]*:directory

func (DirPath) Value

func (dp DirPath) Value() string

Value returns the dir path as a string to be used in communication with the client and in transportation to the server.

type EncryptedAccountKey

type EncryptedAccountKey struct {
	Account             *Account       `json:"account"`
	PublicKey           []byte         `json:"public_key"`
	EncryptedPrivateKey *EncryptedData `json:"encrypted_private_key"`
	Credential          *Credential    `json:"credential"`
}

EncryptedAccountKey represents an account key encrypted with a credential.

type EncryptedData added in v0.21.0

type EncryptedData struct {
	Algorithm  EncryptionAlgorithm `json:"algorithm"`
	Key        interface{}         `json:"key"`
	Parameters interface{}         `json:"parameters,omitempty"`
	Metadata   interface{}         `json:"metadata,omitempty"`
	Ciphertext []byte              `json:"ciphertext"`
}

EncryptedData contains data that is encrypted with an algorithm described by Algorithm. If the encryption method requires metadata, this is contained in Metadata.

func NewEncryptedDataAESGCM added in v0.21.0

func NewEncryptedDataAESGCM(ciphertext, nonce []byte, nonceLength int, key interface{}) *EncryptedData

NewEncryptedDataAESGCM creates a new EncryptedData with the AES-GCM algorithm.

func NewEncryptedDataAWSKMS added in v0.21.0

func NewEncryptedDataAWSKMS(ciphertext []byte, key *EncryptionKeyAWS) *EncryptedData

NewEncryptedDataAWSKMS creates a new EncryptedData with the AWS-KMS algorithm.

func NewEncryptedDataGCPKMS added in v0.29.0

func NewEncryptedDataGCPKMS(ciphertext []byte, key *EncryptionKeyGCP) *EncryptedData

NewEncryptedDataAWSKMS creates a new EncryptedData with the GCP-KMS algorithm.

func NewEncryptedDataRSAOAEP added in v0.21.0

func NewEncryptedDataRSAOAEP(ciphertext []byte, hashingAlgorithm HashingAlgorithm, key interface{}) *EncryptedData

NewEncryptedDataRSAOAEP creates a new EncryptedData with the RSA-OAEP algorithm.

func (*EncryptedData) AESGCM added in v0.25.0

func (ed *EncryptedData) AESGCM() (*EncryptedDataAESGCM, error)

AESGCM casts the EncryptedData to EncryptedDataAESGCM. Returns an error if the EncryptedData does not have AESGCM as its algorithm.

func (*EncryptedData) UnmarshalJSON added in v0.21.0

func (ed *EncryptedData) UnmarshalJSON(b []byte) error

UnmarshalJSON populates an EncryptedData from a JSON representation.

func (*EncryptedData) Validate added in v0.21.0

func (ed *EncryptedData) Validate() error

Validate whether the EncryptedData is valid.

type EncryptedDataAESGCM added in v0.25.0

type EncryptedDataAESGCM struct {
	Key        interface{}
	Parameters EncryptionParametersAESGCM
	Metadata   EncryptionMetadataAESGCM
	Ciphertext []byte
}

EncryptedDataAESGCM is a typed EncryptedData for the AESGCM algorithm.

type EncryptedDir

type EncryptedDir struct {
	DirID          uuid.UUID            `json:"dir_id"`
	BlindName      string               `json:"blind_name"`
	EncryptedName  crypto.CiphertextRSA `json:"encrypted_name"`
	ParentID       *uuid.UUID           `json:"parent_id"`
	Status         string               `json:"status"`
	CreatedAt      time.Time            `json:"created_at"`
	LastModifiedAt time.Time            `json:"last_modified_at"`
}

EncryptedDir represents an encrypted Dir. The names are encrypted and so are the names of SubDirs and Secrets. The secrets contain no encrypted data, only the encrypted name.

func (*EncryptedDir) Decrypt

func (ed *EncryptedDir) Decrypt(accountKey *crypto.RSAPrivateKey) (*Dir, error)

Decrypt decrypts an EncryptedDir into a Dir.

type EncryptedKeyRequest

type EncryptedKeyRequest struct {
	AccountID    uuid.UUID            `json:"account_id"`
	EncryptedKey crypto.CiphertextRSA `json:"encrypted_key"`
}

EncryptedKeyRequest contains the request fields for re-encrypted for an account.

func (*EncryptedKeyRequest) Validate

func (r *EncryptedKeyRequest) Validate() error

Validate validates the request fields.

type EncryptedNameForNodeRequest

type EncryptedNameForNodeRequest struct {
	EncryptedNameRequest
	NodeID uuid.UUID `json:"node_id"`
}

EncryptedNameForNodeRequest contains an EncryptedName for an Account and the corresponding NodeID.

func (EncryptedNameForNodeRequest) Validate

func (nnr EncryptedNameForNodeRequest) Validate() error

Validate validates the EncryptedNameForNodeRequest.

type EncryptedNameRequest

type EncryptedNameRequest struct {
	AccountID     uuid.UUID            `json:"account_id"`
	EncryptedName crypto.CiphertextRSA `json:"encrypted_name"`
}

EncryptedNameRequest contains an EncryptedName for an Account.

func (*EncryptedNameRequest) Validate

func (enr *EncryptedNameRequest) Validate() error

Validate validates the EncryptedNameRequest to be valid.

type EncryptedSecret

type EncryptedSecret struct {
	SecretID      uuid.UUID            `json:"secret_id"`
	DirID         uuid.UUID            `json:"dir_id"`
	RepoID        uuid.UUID            `json:"repo_id"`
	EncryptedName crypto.CiphertextRSA `json:"encrypted_name"`
	BlindName     string               `json:"blind_name"`
	VersionCount  int                  `json:"version_count"`
	LatestVersion int                  `json:"latest_version"`
	Status        string               `json:"status"`
	CreatedAt     time.Time            `json:"created_at"`
}

EncryptedSecret represents an encrypted Secret It does not contain the encrypted data. Only the encrypted name.

func (*EncryptedSecret) Decrypt

func (es *EncryptedSecret) Decrypt(accountKey *crypto.RSAPrivateKey) (*Secret, error)

Decrypt decrypts an EncryptedSecret into a Secret.

func (*EncryptedSecret) ToAuditSubject

func (es *EncryptedSecret) ToAuditSubject() *AuditSubject

ToAuditSubject converts an EncryptedSecret to an AuditSubject

type EncryptedSecretKey

type EncryptedSecretKey struct {
	SecretKeyID  uuid.UUID            `json:"secret_key_id"`
	AccountID    uuid.UUID            `json:"account_id"`
	EncryptedKey crypto.CiphertextRSA `json:"encrypted_key"`
}

EncryptedSecretKey represents a secret key, encrypted for a specific account.

func (*EncryptedSecretKey) Decrypt

func (k *EncryptedSecretKey) Decrypt(accountKey *crypto.RSAPrivateKey) (*SecretKey, error)

Decrypt decrypts an EncryptedSecretKey into a SecretKey.

type EncryptedSecretVersion

type EncryptedSecretVersion struct {
	SecretVersionID uuid.UUID             `json:"secret_version_id"`
	Secret          *EncryptedSecret      `json:"secret"`
	Version         int                   `json:"version"`
	SecretKey       *EncryptedSecretKey   `json:"secret_key,omitempty"`
	EncryptedData   *crypto.CiphertextAES `json:"encrypted_data,omitempty"`
	CreatedAt       time.Time             `json:"created_at"`
	Status          string                `json:"status"`
}

EncryptedSecretVersion represents a version of an encrypted Secret. It contains the encrypted data and the corresponding key.

func (*EncryptedSecretVersion) Decrypt

func (esv *EncryptedSecretVersion) Decrypt(accountKey *crypto.RSAPrivateKey) (*SecretVersion, error)

Decrypt decrypts an EncryptedSecretVersion into a SecretVersion.

func (*EncryptedSecretVersion) ToAuditSubject

func (esv *EncryptedSecretVersion) ToAuditSubject() *AuditSubject

ToAuditSubject converts a SecretVersion to an AuditSubject

type EncryptedTree

type EncryptedTree struct {
	Directories map[uuid.UUID]*EncryptedDir
	Secrets     []*EncryptedSecret
}

EncryptedTree can construct a full tree at a certain path. It contains all dirs and secrets.

func (EncryptedTree) Decrypt

func (t EncryptedTree) Decrypt(accountKey *crypto.RSAPrivateKey) (*Tree, error)

Decrypt decrypts and constructs a tree of the directories and secrets. Decrypt does not set the ParentPath.

func (EncryptedTree) DecryptContents

func (t EncryptedTree) DecryptContents(accountKey *crypto.RSAPrivateKey) ([]*Dir, []*Secret, error)

DecryptContents decrypts every directory and Secret.

type EncryptionAlgorithm added in v0.21.0

type EncryptionAlgorithm string

EncryptionAlgorithm specifies the encryption algorithm used for EncryptedData.

func (*EncryptionAlgorithm) UnmarshalJSON added in v0.21.0

func (ed *EncryptionAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON populates an EncryptionAlgorithm by converting an input string to lowercase.

type EncryptionKey added in v0.21.0

type EncryptionKey struct {
	Type KeyType `json:"type"`
}

EncryptionKey specifies the common fields for all types of encryption keys.

type EncryptionKeyAWS added in v0.21.0

type EncryptionKeyAWS struct {
	EncryptionKey
	ID string `json:"id"`
}

EncryptionKeyAWS is a key that is stored in the AWS KMS service and which can be used for encryption by calling the AWS KMS API.

func NewEncryptionKeyAWS added in v0.21.0

func NewEncryptionKeyAWS(id string) *EncryptionKeyAWS

NewEncryptionKeyAWS creates a EncryptionKeyAWS.

func (EncryptionKeyAWS) SupportsAlgorithm added in v0.21.0

func (EncryptionKeyAWS) SupportsAlgorithm(a EncryptionAlgorithm) bool

SupportsAlgorithm returns true when the encryption key supports the given algorithm.

func (EncryptionKeyAWS) Validate added in v0.21.0

func (k EncryptionKeyAWS) Validate() error

Validate whether the EncryptionKeyAWS is valid.

type EncryptionKeyAccountKey added in v0.21.0

type EncryptionKeyAccountKey struct {
	EncryptionKey
	Length int       `json:"length"`
	ID     uuid.UUID `json:"id"`
}

EncryptionKeyAccountKey is an account's master key that is used to encrypt data and/or keys specifically for an account.

func NewEncryptionKeyAccountKey added in v0.21.0

func NewEncryptionKeyAccountKey(length int, id uuid.UUID) *EncryptionKeyAccountKey

NewEncryptionKeyAccountKey creates a EncryptionKeyAccountKey.

func (EncryptionKeyAccountKey) SupportsAlgorithm added in v0.21.0

func (EncryptionKeyAccountKey) SupportsAlgorithm(a EncryptionAlgorithm) bool

SupportsAlgorithm returns true when the encryption key supports the given algorithm.

func (EncryptionKeyAccountKey) Validate added in v0.21.0

func (k EncryptionKeyAccountKey) Validate() error

Validate whether the EncryptionKeyAccountKey is valid.

type EncryptionKeyBootstrapCode added in v0.25.0

type EncryptionKeyBootstrapCode struct {
	EncryptionKey
	Length int `json:"length"`
}

EncryptionKeyBootstrapCode is an encryption key that is stored as a code memorized by the user.

func NewEncryptionKeyBootstrapCode added in v0.25.0

func NewEncryptionKeyBootstrapCode(length int) *EncryptionKeyBootstrapCode

NewEncryptionKeyLocal creates a EncryptionKeyBootstrapCode.

func (EncryptionKeyBootstrapCode) SupportsAlgorithm added in v0.25.0

SupportsAlgorithm returns true when the encryption key supports the given algorithm.

func (EncryptionKeyBootstrapCode) Validate added in v0.25.0

func (k EncryptionKeyBootstrapCode) Validate() error

Validate whether the EncryptionKeyBootstrapCode is valid.

type EncryptionKeyDerived added in v0.21.0

type EncryptionKeyDerived struct {
	EncryptionKey
	Length     int                    `json:"length"`
	Algorithm  KeyDerivationAlgorithm `json:"algorithm"`
	Parameters interface{}            `json:"parameters,omitempty"`
	Metadata   interface{}            `json:"metadata,omitempty"`
}

EncryptionKeyDerived is an encryption key that can be derived from a passphrase.

func NewEncryptionKeyDerivedScrypt added in v0.21.0

func NewEncryptionKeyDerivedScrypt(length, p, n, r int, salt []byte) *EncryptionKeyDerived

NewEncryptionKeyDerivedScrypt creates a EncryptionKeyDerived with scrypt as key derivation algorithm.

func (EncryptionKeyDerived) SupportsAlgorithm added in v0.21.0

func (EncryptionKeyDerived) SupportsAlgorithm(a EncryptionAlgorithm) bool

SupportsAlgorithm returns true when the encryption key supports the given algorithm.

func (*EncryptionKeyDerived) UnmarshalJSON added in v0.21.0

func (k *EncryptionKeyDerived) UnmarshalJSON(b []byte) error

UnmarshalJSON populates an EncryptionKeyDerived from a JSON representation.

func (EncryptionKeyDerived) Validate added in v0.21.0

func (k EncryptionKeyDerived) Validate() error

Validate whether the EncryptionKeyDerived is valid.

type EncryptionKeyEncrypted added in v0.21.0

type EncryptionKeyEncrypted struct {
	EncryptionKey
	Length       *int           `json:"length"`
	EncryptedKey *EncryptedData `json:"encrypted_key"`
}

EncryptionKeyEncrypted is an encryption key that has been encrypted by another key.

func NewEncryptionKeyEncrypted added in v0.21.0

func NewEncryptionKeyEncrypted(length int, encryptedKey *EncryptedData) *EncryptionKeyEncrypted

NewEncryptionKeyEncrypted creates a EncryptionKeyEncrypted.

func (EncryptionKeyEncrypted) SupportsAlgorithm added in v0.21.0

func (EncryptionKeyEncrypted) SupportsAlgorithm(a EncryptionAlgorithm) bool

SupportsAlgorithm returns true when the encryption key supports the given algorithm.

func (EncryptionKeyEncrypted) Validate added in v0.21.0

func (k EncryptionKeyEncrypted) Validate() error

Validate checks whether all the fields of the response are valid.

type EncryptionKeyGCP added in v0.29.0

type EncryptionKeyGCP struct {
	EncryptionKey
	ID string `json:"id"`
}

EncryptionKeyGCP is a key that is stored in the GCP KMS service and which can be used for encryption by calling the GCP KMS API.

func NewEncryptionKeyGCP added in v0.29.0

func NewEncryptionKeyGCP(id string) *EncryptionKeyGCP

NewEncryptionKeyGCP creates a EncryptionKeyGCP.

func (EncryptionKeyGCP) SupportsAlgorithm added in v0.29.0

func (EncryptionKeyGCP) SupportsAlgorithm(a EncryptionAlgorithm) bool

SupportsAlgorithm returns true when the encryption key supports the given algorithm.

func (EncryptionKeyGCP) Validate added in v0.29.0

func (k EncryptionKeyGCP) Validate() error

Validate whether the EncryptionKeyAWS is valid.

type EncryptionKeyLocal added in v0.21.0

type EncryptionKeyLocal struct {
	EncryptionKey
	Length int `json:"length"`
}

EncryptionKeyLocal is an encryption key that has is stored locally by the user.

func NewEncryptionKeyLocal added in v0.21.0

func NewEncryptionKeyLocal(length int) *EncryptionKeyLocal

NewEncryptionKeyLocal creates a EncryptionKeyLocal.

func (EncryptionKeyLocal) SupportsAlgorithm added in v0.21.0

func (EncryptionKeyLocal) SupportsAlgorithm(a EncryptionAlgorithm) bool

SupportsAlgorithm returns true when the encryption key supports the given algorithm.

func (EncryptionKeyLocal) Validate added in v0.21.0

func (k EncryptionKeyLocal) Validate() error

Validate whether the EncryptionKeyLocal is valid.

type EncryptionKeySecretKey added in v0.21.0

type EncryptionKeySecretKey struct {
	EncryptionKey
	Length int       `json:"length"`
	ID     uuid.UUID `json:"id"`
}

EncryptionKeySecretKey is a key that is used to encrypt secrets

func NewEncryptionKeySecretKey added in v0.21.0

func NewEncryptionKeySecretKey(length int, id uuid.UUID) *EncryptionKeySecretKey

NewEncryptionKeySecretKey creates a EncryptionKeySecretKey.

func (EncryptionKeySecretKey) SupportsAlgorithm added in v0.21.0

func (EncryptionKeySecretKey) SupportsAlgorithm(a EncryptionAlgorithm) bool

SupportsAlgorithm returns true when the encryption key supports the given algorithm.

func (EncryptionKeySecretKey) Validate added in v0.21.0

func (k EncryptionKeySecretKey) Validate() error

Validate whether the EncryptionKeySecretKey is valid.

type EncryptionMetadataAESGCM added in v0.21.0

type EncryptionMetadataAESGCM struct {
	Nonce []byte `json:"nonce"`
}

EncryptionMetadataAESGCM is the metadata used by the AES-GCM encryption algorithm.

func (EncryptionMetadataAESGCM) Validate added in v0.21.0

func (m EncryptionMetadataAESGCM) Validate() error

Validate checks whether the EncryptionMetadataAESGCM is valid.

type EncryptionParametersAESGCM added in v0.21.0

type EncryptionParametersAESGCM struct {
	NonceLength int `json:"nonce_length"`
}

EncryptionParametersAESGCM are the parameters used by the AES-GCM encryption algorithm.

func (EncryptionParametersAESGCM) Validate added in v0.21.0

func (p EncryptionParametersAESGCM) Validate() error

Validate checks whether the EncryptionParametersAESGCM is valid.

type EncryptionParametersRSAOAEP added in v0.21.0

type EncryptionParametersRSAOAEP struct {
	HashingAlgorithm HashingAlgorithm `json:"hashing_algorithm"`
}

EncryptionParametersRSAOAEP are the parameters used by the RSA-OAEP encryption algorithm.

func (EncryptionParametersRSAOAEP) Validate added in v0.21.0

func (p EncryptionParametersRSAOAEP) Validate() error

Validate checks whether the EncryptionParametersRSAOAEP is valid.

type HashingAlgorithm added in v0.21.0

type HashingAlgorithm string

HashingAlgorithm specifies the hashing algorithm used for any encryption algorithm using hasing.

func (*HashingAlgorithm) UnmarshalJSON added in v0.21.0

func (ed *HashingAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON populates an HashingAlgorithm by converting an input string to lowercase.

type IdentityProviderLink struct {
	Type      IdentityProviderLinkType `json:"type"`
	Namespace string                   `json:"namespace"`
	LinkedID  string                   `json:"linked_id"`
	CreatedAt time.Time                `json:"created_at"`
}

IdentityProviderLink is a prerequisite for creating some identity provider backed service accounts. These links prove that a namespace's member has access to a resource (identified by the LinkedID) within the identity provider. Once a link between a namespace and an identity provider has been created, from then on service accounts can be created within the scope described by the LinkedID. For example, after creating a link to a GCP Project, GCP service accounts within that project can be used for the GCP Identity Provider.

The meaning of LinkedID depends on the type of the IdentityProviderLink in the following way: - GCP: LinkedID is a GCP Project ID.

type IdentityProviderLinkType added in v0.30.0

type IdentityProviderLinkType string
const (
	IdentityProviderLinkGCP IdentityProviderLinkType = "gcp"
)

type InviteUserRequest

type InviteUserRequest struct {
	AccountID  uuid.UUID                `json:"account_id"`
	RepoMember *CreateRepoMemberRequest `json:"repo_member"`
}

InviteUserRequest contains the required fields for inviting a user to a repo.

func (InviteUserRequest) Validate

func (req InviteUserRequest) Validate() error

Validate validates a InviteUserRequest

type KeyDerivationAlgorithm added in v0.21.0

type KeyDerivationAlgorithm string

KeyDerivationAlgorithm specifies the key derivation algorithm used for a derived key.

const (
	KeyDerivationAlgorithmScrypt KeyDerivationAlgorithm = "scrypt"
)

Options for KeyDerivationAlgorithm

func (*KeyDerivationAlgorithm) UnmarshalJSON added in v0.21.0

func (ed *KeyDerivationAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON populates an KeyDerivationAlgorithm by converting an input string to lowercase.

type KeyDerivationMetadataScrypt added in v0.21.0

type KeyDerivationMetadataScrypt struct {
	Salt []byte `json:"salt"`
}

KeyDerivationMetadataScrypt is the metadata used by the scrypt key derivation algorithm.

func (KeyDerivationMetadataScrypt) Validate added in v0.21.0

func (m KeyDerivationMetadataScrypt) Validate() error

Validate whether the KeyDerivationMetadataScrypt is valid.

type KeyDerivationParametersScrypt added in v0.21.0

type KeyDerivationParametersScrypt struct {
	P int `json:"p"`
	N int `json:"n"`
	R int `json:"r"`
}

KeyDerivationParametersScrypt are the parameters used by the scrypt key derivation algorithm.

func (KeyDerivationParametersScrypt) Validate added in v0.21.0

func (p KeyDerivationParametersScrypt) Validate() error

Validate whether the KeyDerivationParametersScrypt is valid.

type KeyType added in v0.21.0

type KeyType string

KeyType specifies the type of key used for EncryptedData.

const (
	KeyTypeDerived       KeyType = "derived"
	KeyTypeEncrypted     KeyType = "encrypted"
	KeyTypeLocal         KeyType = "local"
	KeyTypeAccountKey    KeyType = "account-key"
	KeyTypeSecretKey     KeyType = "secret-key"
	KeyTypeAWS           KeyType = "aws"
	KeyTypeGCP           KeyType = "gcp"
	KeyTypeBootstrapCode KeyType = "bootstrap-code"
)

Options for KeyType

func (*KeyType) UnmarshalJSON added in v0.21.0

func (ed *KeyType) UnmarshalJSON(b []byte) error

UnmarshalJSON populates an KeyType by converting an input string to lowercase.

type Namespace

type Namespace ParentPath

Namespace represents a namespace

func (*Namespace) Set

func (n *Namespace) Set(value string) error

Set implements the flag.Value interface and validates the value.

func (Namespace) String

func (n Namespace) String() string

String returns the namespace as a string to be used for printing.

func (Namespace) Validate

func (n Namespace) Validate() error

Validate verifies whether the Namespace is valid

func (Namespace) Value

func (n Namespace) Value() string

Value returns the namespace as a string to be used in communication with the client and in transportation to the server.

type NamespaceDetails

type NamespaceDetails struct {
	Name        string `json:"name"`
	MemberCount int    `json:"member_count"`
	RepoCount   int    `json:"repo_count"`
	SecretCount int    `json:"secret_count"`
}

NamespaceDetails defines a user or organization namespace. TODO: rename this to Namespace currently claimed in paths.go

type OAuthConfig added in v0.30.0

type OAuthConfig struct {
	ClientID  string   `json:"client_id"`
	AuthURI   string   `json:"auth_uri"`
	Scopes    []string `json:"scopes"`
	ResultURL *url.URL `json:"result_url"`
}

type Org

type Org struct {
	OrgID       uuid.UUID    `json:"org_id"`
	Name        string       `json:"name"`
	Description string       `json:"description"`
	CreatedAt   time.Time    `json:"created_at"`
	Members     []*OrgMember `json:"members,omitempty"`
}

Org represents an organization account on SecretHub

type OrgMember

type OrgMember struct {
	OrgID         uuid.UUID `json:"org_id"`
	AccountID     uuid.UUID `json:"account_id"`
	Role          string    `json:"role"`
	CreatedAt     time.Time `json:"created_at"`
	LastChangedAt time.Time `json:"last_changed_at"`
	User          *User     `json:"user,omitempty"`
}

OrgMember represents a user's membership of an organization.

type OrgName

type OrgName Namespace

OrgName is the name of an organization.

func (OrgName) Namespace

func (n OrgName) Namespace() Namespace

Namespace returns the OrgName as a Namespace.

func (*OrgName) Set

func (n *OrgName) Set(value string) error

Set implements the flag.Value interface and validates the value.

func (OrgName) String

func (n OrgName) String() string

String returns the organisation's name as a string to be used for printing.

func (OrgName) Value

func (n OrgName) Value() string

Value returns the organisation's name as a string to be used in communication with the client and in transportation to the server.

type ParentPath

type ParentPath Path

ParentPath is a path to a namespace, repo or directory. This is used for generic blind name generation.

func (ParentPath) BlindName

func (pp ParentPath) BlindName(key *crypto.SymmetricKey) (string, error)

BlindName generates the BlindName of the ParentPath.

func (ParentPath) GetRepoPath

func (pp ParentPath) GetRepoPath() RepoPath

GetRepoPath returns the RepoPath of the ParentPath.

func (ParentPath) HasParentPath

func (pp ParentPath) HasParentPath() bool

HasParentPath checks if the ParentPath has a path or if it is the repo path.

func (ParentPath) JoinDir

func (pp ParentPath) JoinDir(dirName string) DirPath

JoinDir constructs a new DirPath combined by the ParentPath and dirName.

func (ParentPath) String

func (pp ParentPath) String() string

type Path

type Path string

Path represents a path to either a namespace, a repo, a directory, or a secret

func NewPath

func NewPath(path string) (Path, error)

NewPath creates a new Path and validates whether it is valid

func (Path) HasVersion

func (p Path) HasVersion() bool

HasVersion returns if the path has a version. Only SecretPath has versions, so if has a version it is a SecretPath.

func (*Path) Set

func (p *Path) Set(value string) error

Set implements the flag.Value interface and validates the value.

func (Path) String

func (p Path) String() string

String converts the Path to a string

func (Path) ToDirPath

func (p Path) ToDirPath() (DirPath, error)

ToDirPath tries to convert the path to a valid DirPath

func (Path) ToNamespace

func (p Path) ToNamespace() (Namespace, error)

ToNamespace tries to convert the Path to a valid Namespace

func (Path) ToRepoPath

func (p Path) ToRepoPath() (RepoPath, error)

ToRepoPath tries to convert the Path to a valid RepoPath

func (Path) ToSecretPath

func (p Path) ToSecretPath() (SecretPath, error)

ToSecretPath tries to convert the Path to a valid SecretPath

func (*Path) Validate

func (p *Path) Validate() error

Validate checks whether the Path is either a valid SecretPath, DirPath, RepoPath or Namespace

type Permission

type Permission int

Permission defines what kind of access an access rule grants or a access level has.

const (
	PermissionNone Permission = iota
	PermissionRead
	PermissionWrite
	PermissionAdmin
)

The different Permission options.

func (*Permission) Set

func (al *Permission) Set(value string) error

Set sets the Permission to the value.

func (Permission) String

func (al Permission) String() string

type Repo

type Repo struct {
	RepoID         uuid.UUID `json:"repo_id"`
	Owner          string    `json:"owner"`
	Name           string    `json:"name"`
	CreatedAt      time.Time `json:"created_at"`
	LastModifiedAt time.Time `json:"last_modified_at"`
	Status         string    `json:"status"`
	SecretCount    int       `json:"secret_count,omitempty"`
	MemberCount    int       `json:"member_count,omitempty"`
}

Repo represents a repo on SecretHub.

func (Repo) Path

func (r Repo) Path() RepoPath

Path returns the full repository path.

func (Repo) ToAuditSubject

func (r Repo) ToAuditSubject() *AuditSubject

ToAuditSubject converts a Repo to an AuditSubject

func (Repo) Trim

func (r Repo) Trim() *Repo

Trim removes all non-essential fields from Repo for output

type RepoKeys

type RepoKeys struct {
	RepoEncryptionKey []byte `json:"repo_encryption_key"`
	RepoIndexKey      []byte `json:"repo_index_key"`
}

RepoKeys contains the response with the repo key.

type RepoMember

type RepoMember struct {
	RepoID    uuid.UUID `json:"repo_id"`
	AccountID uuid.UUID `json:"account_id"`
	CreatedAt time.Time `json:"created_at"`
}

RepoMember represents a member of a SecretHub repo.

type RepoPath

type RepoPath ParentPath

RepoPath is a parse for repo paths of form :owner/:repo_name

func NewRepoPath

func NewRepoPath(path string) (RepoPath, error)

NewRepoPath formats a RepoPath from an owner and repo.

func (RepoPath) BlindName

func (rp RepoPath) BlindName(key *crypto.SymmetricKey) (string, error)

BlindName returns the blind name of the DirPath.

func (RepoPath) GetDirPath

func (rp RepoPath) GetDirPath() DirPath

GetDirPath converts this repoPath into a DirPath. This should be valid.

func (RepoPath) GetNamespace

func (rp RepoPath) GetNamespace() string

GetNamespace returns the namespace of the Repo.

func (RepoPath) GetNamespaceAndRepoName

func (rp RepoPath) GetNamespaceAndRepoName() (string, string)

GetNamespaceAndRepoName returns the namespace and repo name of the Repo.

func (RepoPath) GetRepo

func (rp RepoPath) GetRepo() string

GetRepo returns the name of the Repo.

func (RepoPath) GetRepoPath

func (rp RepoPath) GetRepoPath() RepoPath

GetRepoPath gets the RepoPath from the RepoPath. This function only works on validated RepoPaths. This is necessary to implement BlindNamePath interface.

func (*RepoPath) Set

func (rp *RepoPath) Set(value string) error

Set implements the flag.Value interface and validates the value.

func (RepoPath) String

func (rp RepoPath) String() string

String returns the repository's path as a string to be used for printing.

func (RepoPath) Validate

func (rp RepoPath) Validate() error

Validate validates a repo path of form :owner/:repo_name

func (RepoPath) Value

func (rp RepoPath) Value() string

Value returns the repository's path as a string to be used in communication with the client and in transportation to the server.

type RevokeOpts

type RevokeOpts struct {
	DryRun bool `url:"dry_run"` // Dry performs a dry run without actually revoking the account.
}

RevokeOpts contains optional query parameters for revoke requests.

func (*RevokeOpts) Unmarshal

func (o *RevokeOpts) Unmarshal(values url.Values)

Unmarshal decodes url.Values into the options struct, setting default values if not present in the query values. TODO SHDEV-817: refactor this to a more extendable mechanism.

func (RevokeOpts) Values

func (o RevokeOpts) Values() (url.Values, error)

Values returns the url.Values encoding of the options.

type RevokeOrgResponse

type RevokeOrgResponse struct {
	DryRun       bool                  `json:"dry"` // Dry indicates whether it was a dry run or not.
	Repos        []*RevokeRepoResponse `json:"repos"`
	StatusCounts map[string]int        `json:"status_counts"` // StatusCounts contains aggregate counts of the repos the account is revoked from.
}

RevokeOrgResponse is returned as the effect of revoking an account from a repository.

type RevokeRepoResponse

type RevokeRepoResponse struct {
	Namespace                 string `json:"namespace"` // Added for display purposes
	Name                      string `json:"name"`      // Added for display purposes
	Status                    string `json:"status"`
	RevokedSecretVersionCount int    `json:"revoked_secret_version_count"`
	RevokedSecretKeyCount     int    `json:"revoked_secret_key_count"`
}

RevokeRepoResponse is returned as the effect of revoking an account from a repo.

type RevokeResponse

type RevokeResponse struct {
	RevokedSecretVersions []*EncryptedSecretVersion `json:"revoked_secret_versions"`
	RevokedSecretKeys     []*SecretKey              `json:"revoked_secret_keys"`
}

RevokeResponse is returned when a revoke command is executed.

type Secret

type Secret struct {
	SecretID      uuid.UUID `json:"secret_id"`
	DirID         uuid.UUID `json:"dir_id"`
	RepoID        uuid.UUID `json:"repo_id"`
	Name          string    `json:"name"`
	BlindName     string    `json:"blind_name"`
	VersionCount  int       `json:"version_count"`
	LatestVersion int       `json:"latest_version"`
	Status        string    `json:"status"`
	CreatedAt     time.Time `json:"created_at"`
}

Secret represents a decrypted secret in SecretHub.

func (*Secret) HasName

func (s *Secret) HasName(name string) bool

HasName returns true when the secret version has the exact name.

type SecretAccessRequest

type SecretAccessRequest struct {
	Name EncryptedNameForNodeRequest `json:"name_member"`
	Keys []SecretKeyMemberRequest    `json:"keys"`
}

SecretAccessRequest contains the request fields to grant an account access to a secret.

func (*SecretAccessRequest) Validate

func (r *SecretAccessRequest) Validate() error

Validate validates the request fields.

type SecretKey

type SecretKey struct {
	SecretKeyID uuid.UUID            `json:"secret_key_id"`
	AccountID   uuid.UUID            `json:"account_id"`
	Key         *crypto.SymmetricKey `json:"key"`
}

SecretKey represents a secret key that is intended to be used by a specific account.

func (*SecretKey) ToAuditSubject

func (sk *SecretKey) ToAuditSubject() *AuditSubject

ToAuditSubject converts a SecretKey to an AuditSubject

type SecretKeyMemberRequest

type SecretKeyMemberRequest struct {
	AccountID    uuid.UUID            `json:"account_id"`
	SecretKeyID  uuid.UUID            `json:"secret_key_id"`
	EncryptedKey crypto.CiphertextRSA `json:"encrypted_key"`
}

SecretKeyMemberRequest contains the request fields to grant access to a secret key.

func (*SecretKeyMemberRequest) Validate

func (skmr *SecretKeyMemberRequest) Validate() error

Validate validates the request fields.

type SecretPath

type SecretPath string

SecretPath is a custom type for secret paths of form :owner/:repo_name/:secret

func NewSecretPath

func NewSecretPath(path string) (SecretPath, error)

NewSecretPath formats a SecretPath from an owner, repo, and a secret.

func (SecretPath) AddVersion

func (sp SecretPath) AddVersion(version int) (SecretPath, error)

AddVersion adds a version to a SecretPath and returns this path.

func (SecretPath) BlindName

func (sp SecretPath) BlindName(key *crypto.SymmetricKey) (string, error)

BlindName converts a SecretPath to a blindname. BlindName ignores the Secret Version.

func (SecretPath) GetNamespace

func (sp SecretPath) GetNamespace() string

GetNamespace returns the namespace in the SecretPath.

func (SecretPath) GetParentPath

func (sp SecretPath) GetParentPath() (ParentPath, error)

GetParentPath gets the DirPath from the SecretPath.

func (SecretPath) GetRepo

func (sp SecretPath) GetRepo() string

GetRepo returns the repo name in the SecretPath.

func (SecretPath) GetRepoPath

func (sp SecretPath) GetRepoPath() RepoPath

GetRepoPath gets the RepoPath from the SecretPath. This function only works on validated SecretPaths.

func (SecretPath) GetSecret

func (sp SecretPath) GetSecret() string

GetSecret gets the secret name from the path.

func (SecretPath) GetVersion

func (sp SecretPath) GetVersion() (string, error)

GetVersion gets the version from the path.

func (SecretPath) HasVersion

func (sp SecretPath) HasVersion() bool

HasVersion returns whether there is a version specified in the path.

func (*SecretPath) Set

func (sp *SecretPath) Set(value string) error

Set implements the flag.Value interface and validates the value.

func (SecretPath) String

func (sp SecretPath) String() string

String returns the secret path as a string to be used for printing.

func (SecretPath) Validate

func (sp SecretPath) Validate() error

Validate validates a Secret path.

func (SecretPath) Value

func (sp SecretPath) Value() string

Value returns the secret path as a string to be used in communication with the client and in transportation to the server.

type SecretVersion

type SecretVersion struct {
	SecretVersionID uuid.UUID  `json:"secret_version_id"`
	Secret          *Secret    `json:"secret"`
	Version         int        `json:"version"`
	SecretKey       *SecretKey `json:"secret_key,omitempty"`
	Data            []byte     `json:"data,omitempty"`
	CreatedAt       time.Time  `json:"created_at"`
	Status          string     `json:"status"`
}

SecretVersion represents a version of a Secret without any encrypted data.

func (*SecretVersion) IsLatest

func (sv *SecretVersion) IsLatest() bool

IsLatest returns true when the secret version is the latest version of the secret.

func (*SecretVersion) Name

func (sv *SecretVersion) Name() string

Name returns the secret name:version

type Service

type Service struct {
	AccountID   uuid.UUID   `json:"account_id"`
	ServiceID   string      `json:"service_id"`
	Repo        *Repo       `json:"repo"`
	Description string      `json:"description"`
	CreatedBy   uuid.UUID   `json:"created_by"`
	CreatedAt   time.Time   `json:"created_at"`
	Credential  *Credential `json:"credential"`
}

Service represents a service account on SecretHub.

func (Service) ToAuditActor

func (a Service) ToAuditActor() *AuditActor

ToAuditActor converts an Service to an AuditActor

func (Service) ToAuditSubject

func (a Service) ToAuditSubject() *AuditSubject

ToAuditSubject converts an Service to an AuditSubject

func (Service) Trim

func (a Service) Trim() *Service

Trim removes all non-essential fields from Service for output

type Session added in v0.21.0

type Session struct {
	SessionID uuid.UUID   `json:"session_id"`
	ExpiresAt time.Time   `json:"expires_at"`
	Type      SessionType `json:"type"`
	Payload   interface{} `json:"payload"`
}

Session represents a session that can be used for authentication to the server.

func NewSessionHMAC added in v0.21.0

func NewSessionHMAC(sessionID uuid.UUID, expiration time.Time, secretKey string) *Session

NewSessionHMAC returns a HMAC type api.Session.

func (*Session) HMAC added in v0.21.0

func (s *Session) HMAC() *SessionHMAC

HMAC returns the HMAC specific representation of this session.

func (*Session) UnmarshalJSON added in v0.21.0

func (s *Session) UnmarshalJSON(b []byte) error

UnmarshalJSON converts a JSON representation into a Session with the correct Payload.

func (*Session) Validate added in v0.21.0

func (s *Session) Validate() error

Validate whether the Session is valid.

type SessionHMAC added in v0.21.0

type SessionHMAC struct {
	SessionID uuid.UUID
	Expires   time.Time
	Payload   SessionPayloadHMAC
}

SessionHMAC is a session that uses the HMAC algorithm to verify the authentication.

type SessionPayloadHMAC added in v0.21.0

type SessionPayloadHMAC struct {
	SessionKey string `json:"session_key"`
}

SessionPayloadHMAC is the payload of a HMAC typed session.

func (*SessionPayloadHMAC) Validate added in v0.21.0

func (pl *SessionPayloadHMAC) Validate() error

Validate whether the SessionPayloadHMAC is valid.

type SessionType added in v0.21.0

type SessionType string

SessionType defines how a session can be used.

const (
	SessionTypeHMAC SessionType = "hmac"
)

SessionType options

type SortAccessLevels

type SortAccessLevels []*AccessLevel

SortAccessLevels sorts a list of AccessLevels first by the permission and then by the account name.

func (SortAccessLevels) Len

func (s SortAccessLevels) Len() int

func (SortAccessLevels) Less

func (s SortAccessLevels) Less(i, j int) bool

func (SortAccessLevels) Swap

func (s SortAccessLevels) Swap(i, j int)

type SortAccessRules

type SortAccessRules []*AccessRule

SortAccessRules makes a list of AccessRules sortable. Sort order: Permission (high to low), AccountName (natural)

func (SortAccessRules) Len

func (s SortAccessRules) Len() int

func (SortAccessRules) Less

func (s SortAccessRules) Less(i, j int) bool

func (SortAccessRules) Swap

func (s SortAccessRules) Swap(i, j int)

type SortDirByName

type SortDirByName []*Dir

SortDirByName makes a list of Dir sortable.

func (SortDirByName) Len

func (d SortDirByName) Len() int

func (SortDirByName) Less

func (d SortDirByName) Less(i, j int) bool

func (SortDirByName) Swap

func (d SortDirByName) Swap(i, j int)

type SortDirPaths

type SortDirPaths []DirPath

SortDirPaths makes a slice of dir paths sortable.

func (SortDirPaths) Len

func (s SortDirPaths) Len() int

func (SortDirPaths) Less

func (s SortDirPaths) Less(i, j int) bool

func (SortDirPaths) Swap

func (s SortDirPaths) Swap(i, j int)

type SortOrgByName

type SortOrgByName []*Org

SortOrgByName makes a list of orgs sortable.

func (SortOrgByName) Len

func (s SortOrgByName) Len() int

func (SortOrgByName) Less

func (s SortOrgByName) Less(i, j int) bool

func (SortOrgByName) Swap

func (s SortOrgByName) Swap(i, j int)

type SortOrgMemberByUsername

type SortOrgMemberByUsername []*OrgMember

SortOrgMemberByUsername makes a list of org members sortable.

func (SortOrgMemberByUsername) Len

func (s SortOrgMemberByUsername) Len() int

func (SortOrgMemberByUsername) Less

func (s SortOrgMemberByUsername) Less(i, j int) bool

func (SortOrgMemberByUsername) Swap

func (s SortOrgMemberByUsername) Swap(i, j int)

type SortRepoByName

type SortRepoByName []*Repo

SortRepoByName makes a list of repos sortable.

func (SortRepoByName) Len

func (r SortRepoByName) Len() int

func (SortRepoByName) Less

func (r SortRepoByName) Less(i, j int) bool

func (SortRepoByName) Swap

func (r SortRepoByName) Swap(i, j int)

type SortSecretByName

type SortSecretByName []*Secret

SortSecretByName makes a list of Secret sortable.

func (SortSecretByName) Len

func (s SortSecretByName) Len() int

func (SortSecretByName) Less

func (s SortSecretByName) Less(i, j int) bool

func (SortSecretByName) Swap

func (s SortSecretByName) Swap(i, j int)

type Tree

type Tree struct {
	ParentPath ParentPath
	RootDir    *Dir
	Dirs       map[uuid.UUID]*Dir
	Secrets    map[uuid.UUID]*Secret
}

Tree contains a full tree from the RootDir and all dirs and secrets. ParentPath is used to construct absolute paths. ParentPath is the path to the parent of the root dir, eg: For namespace/repo/parent/rootdir => namespace/repo/parent

func (Tree) AbsDirPath

func (t Tree) AbsDirPath(dirID uuid.UUID) (DirPath, error)

AbsDirPath returns the full path of dir This function makes the assumption that only the root dir has no parentID. If not, an error will occur.

func (Tree) AbsSecretPath

func (t Tree) AbsSecretPath(secretID uuid.UUID) (*SecretPath, error)

AbsSecretPath returns the full path of secret. This function makes the assumption that every secret has a ParentDir.  If not, an error will occur.

func (Tree) DirCount

func (t Tree) DirCount() int

DirCount returns the number of directories inside the tree. This does not include the root directory.

func (Tree) SecretCount

func (t Tree) SecretCount() int

SecretCount returns the number of secrets contained in the tree.

type UpdateAccessRuleRequest

type UpdateAccessRuleRequest struct {
	Permission Permission `json:"permission"`
}

UpdateAccessRuleRequest contains the request fields for updating an AccessRule.

func (*UpdateAccessRuleRequest) Validate

func (uar *UpdateAccessRuleRequest) Validate() error

Validate validates the request fields.

type UpdateCredentialRequest added in v0.25.0

type UpdateCredentialRequest struct {
	Enabled *bool `json:"enabled,omitempty"`
}

UpdateCredentialRequest contains the fields of a credential that can be updated.

func (*UpdateCredentialRequest) Validate added in v0.25.0

func (req *UpdateCredentialRequest) Validate() error

Validate whether the UpdateCredentialRequest is a valid request.

type UpdateOrgMemberRequest

type UpdateOrgMemberRequest struct {
	Role string `json:"role"`
}

UpdateOrgMemberRequest contains the required fields for updating a user's organization membership.

func (UpdateOrgMemberRequest) Validate

func (req UpdateOrgMemberRequest) Validate() error

Validate validates the request fields.

type User

type User struct {
	AccountID     uuid.UUID  `json:"account_id"`
	PublicKey     []byte     `json:"public_key"`
	Username      string     `json:"username"`
	FullName      string     `json:"full_name"`
	Email         string     `json:"user_email,omitempty"`     // Optional, private information is only returned for yourself
	EmailVerified bool       `json:"email_verified,omitempty"` // Optional, private information is only returned for yourself
	CreatedAt     *time.Time `json:"created_at,omitempty"`     // Optional, private information is only returned for yourself
	LastLoginAt   *time.Time `json:"last_login_at,omitempty"`  // Optional, private information is only returned for yourself
}

User represents a SecretHub user.

func (User) PrettyName

func (u User) PrettyName() string

PrettyName returns a printable string with the username and full name.

func (User) ToAuditActor

func (u User) ToAuditActor() *AuditActor

ToAuditActor converts a User to an AuditActor

func (User) ToAuditSubject

func (u User) ToAuditSubject() *AuditSubject

ToAuditSubject converts a User to an AuditSubject

func (User) Trim

func (u User) Trim() *User

Trim removes all non-essential fields from User for output

Directories

Path Synopsis
Package uuid is a utility package to standardize and abstract away how UUIDs are generated and used.
Package uuid is a utility package to standardize and abstract away how UUIDs are generated and used.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL