api

package
v0.10.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 6, 2018 License: MPL-2.0 Imports: 32 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// SSHHelperDefaultMountPoint is the default path at which SSH backend will be
	// mounted in the Vault server.
	SSHHelperDefaultMountPoint = "ssh"

	// VerifyEchoRequest is the echo request message sent as OTP by the helper.
	VerifyEchoRequest = "verify-echo-request"

	// VerifyEchoResponse is the echo response message sent as a response to OTP
	// matching echo request.
	VerifyEchoResponse = "verify-echo-response"
)
View Source
const EnvRateLimit = "VAULT_RATE_LIMIT"
View Source
const EnvVaultAddress = "VAULT_ADDR"
View Source
const EnvVaultCACert = "VAULT_CACERT"
View Source
const EnvVaultCAPath = "VAULT_CAPATH"
View Source
const EnvVaultClientCert = "VAULT_CLIENT_CERT"
View Source
const EnvVaultClientKey = "VAULT_CLIENT_KEY"
View Source
const EnvVaultClientTimeout = "VAULT_CLIENT_TIMEOUT"
View Source
const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
View Source
const EnvVaultMFA = "VAULT_MFA"
View Source
const EnvVaultMaxRetries = "VAULT_MAX_RETRIES"
View Source
const EnvVaultTLSServerName = "VAULT_TLS_SERVER_NAME"
View Source
const EnvVaultToken = "VAULT_TOKEN"
View Source
const EnvVaultWrapTTL = "VAULT_WRAP_TTL"

Variables

View Source
var (
	// The default TTL that will be used with `sys/wrapping/wrap`, can be
	// changed
	DefaultWrappingTTL = "5m"

	// The default function used if no other function is set, which honors the
	// env var and wraps `sys/wrapping/wrap`
	DefaultWrappingLookupFunc = func(operation, path string) string {
		if os.Getenv(EnvVaultWrapTTL) != "" {
			return os.Getenv(EnvVaultWrapTTL)
		}

		if (operation == "PUT" || operation == "POST") && path == "sys/wrapping/wrap" {
			return DefaultWrappingTTL
		}

		return ""
	}
)
View Source
var (
	ErrRenewerMissingInput  = errors.New("missing input to renewer")
	ErrRenewerMissingSecret = errors.New("missing secret to renew")
	ErrRenewerNotRenewable  = errors.New("secret is not renewable")
	ErrRenewerNoSecretData  = errors.New("returned empty secret data")

	// DefaultRenewerRenewBuffer is the default size of the buffer for renew
	// messages on the channel.
	DefaultRenewerRenewBuffer = 5
)

Functions

This section is empty.

Types

type Audit

type Audit struct {
	Path        string
	Type        string
	Description string
	Options     map[string]string
	Local       bool
}

type Auth

type Auth struct {
	// contains filtered or unexported fields
}

Auth is used to perform credential backend related operations.

func (*Auth) Token

func (a *Auth) Token() *TokenAuth

Token is used to return the client for token-backend API calls

type AuthConfigInput added in v0.8.2

type AuthConfigInput struct {
	DefaultLeaseTTL           string   `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL               string   `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	PluginName                string   `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
	AuditNonHMACRequestKeys   []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
	AuditNonHMACResponseKeys  []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
	ListingVisibility         string   `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
	PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
}

type AuthConfigOutput added in v0.6.1

type AuthConfigOutput struct {
	DefaultLeaseTTL           int      `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL               int      `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	PluginName                string   `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
	AuditNonHMACRequestKeys   []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
	AuditNonHMACResponseKeys  []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
	ListingVisibility         string   `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
	PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
}

type AuthMount

type AuthMount struct {
	Type        string            `json:"type" mapstructure:"type"`
	Description string            `json:"description" mapstructure:"description"`
	Accessor    string            `json:"accessor" mapstructure:"accessor"`
	Config      AuthConfigOutput  `json:"config" mapstructure:"config"`
	Local       bool              `json:"local" mapstructure:"local"`
	SealWrap    bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
	Options     map[string]string `json:"options" mapstructure:"options"`
}

type CORSRequest added in v0.8.0

type CORSRequest struct {
	AllowedOrigins string `json:"allowed_origins"`
	Enabled        bool   `json:"enabled"`
}

type CORSResponse added in v0.8.0

type CORSResponse struct {
	AllowedOrigins string `json:"allowed_origins"`
	Enabled        bool   `json:"enabled"`
}

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client is the client to the Vault API. Create a client with NewClient.

func NewClient

func NewClient(c *Config) (*Client, error)

NewClient returns a new client for the given configuration.

If the configuration is nil, Vault will use configuration from DefaultConfig(), which is the recommended starting configuration.

If the environment variable `VAULT_TOKEN` is present, the token will be automatically added to the client. Otherwise, you must manually call `SetToken()`.

func (*Client) Address added in v0.6.3

func (c *Client) Address() string

Address returns the Vault URL the client is configured to connect to

func (*Client) Auth

func (c *Client) Auth() *Auth

Auth is used to return the client for credential-backend API calls.

func (*Client) ClearToken

func (c *Client) ClearToken()

ClearToken deletes the token if it is set or does nothing otherwise.

func (*Client) Clone added in v0.8.0

func (c *Client) Clone() (*Client, error)

Clone creates a new client with the same configuration. Note that the same underlying http.Client is used; modifying the client from more than one goroutine at once may not be safe, so modify the client as needed and then clone.

func (*Client) CurrentWrappingLookupFunc added in v0.10.2

func (c *Client) CurrentWrappingLookupFunc() WrappingLookupFunc

CurrentWrappingLookupFunc sets a lookup function that returns desired wrap TTLs for a given operation and path

func (*Client) Help

func (c *Client) Help(path string) (*Help, error)

Help reads the help information for the given path.

func (*Client) Logical

func (c *Client) Logical() *Logical

Logical is used to return the client for logical-backend API calls.

func (*Client) NewRenewer added in v0.8.0

func (c *Client) NewRenewer(i *RenewerInput) (*Renewer, error)

NewRenewer creates a new renewer from the given input.

func (*Client) NewRequest

func (c *Client) NewRequest(method, requestPath string) *Request

NewRequest creates a new raw request object to query the Vault server configured for this client. This is an advanced method and generally doesn't need to be called externally.

func (*Client) RawRequest

func (c *Client) RawRequest(r *Request) (*Response, error)

RawRequest performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.

func (*Client) SSH added in v0.3.0

func (c *Client) SSH() *SSH

SSH returns the client for logical-backend API calls.

func (*Client) SSHHelper added in v0.5.1

func (c *Client) SSHHelper() *SSHHelper

SSHHelper creates an SSHHelper object which can talk to Vault server with SSH backend mounted at default path ("ssh").

func (*Client) SSHHelperWithMountPoint added in v0.5.1

func (c *Client) SSHHelperWithMountPoint(mountPoint string) *SSHHelper

SSHHelperWithMountPoint creates an SSHHelper object which can talk to Vault server with SSH backend mounted at a specific mount point.

func (*Client) SSHWithMountPoint added in v0.3.0

func (c *Client) SSHWithMountPoint(mountPoint string) *SSH

SSHWithMountPoint returns the client with specific SSH mount point.

func (*Client) SetAddress added in v0.6.1

func (c *Client) SetAddress(addr string) error

Sets the address of Vault in the client. The format of address should be "<Scheme>://<Host>:<Port>". Setting this on a client will override the value of VAULT_ADDR environment variable.

func (*Client) SetBackoff added in v0.10.2

func (c *Client) SetBackoff(backoff retryablehttp.Backoff)

SetBackoff sets the backoff function to be used for future requests.

func (*Client) SetClientTimeout added in v0.8.0

func (c *Client) SetClientTimeout(timeout time.Duration)

SetClientTimeout sets the client request timeout

func (*Client) SetHeaders added in v0.9.0

func (c *Client) SetHeaders(headers http.Header)

SetHeaders sets the headers to be used for future requests.

func (*Client) SetLimiter added in v0.10.2

func (c *Client) SetLimiter(rateLimit float64, burst int)

SetLimiter will set the rate limiter for this client. This method is thread-safe. rateLimit and burst are specified according to https://godoc.org/golang.org/x/time/rate#NewLimiter

func (*Client) SetMFACreds added in v0.9.0

func (c *Client) SetMFACreds(creds []string)

SetMFACreds sets the MFA credentials supplied either via the environment variable or via the command line.

func (*Client) SetMaxRetries added in v0.7.0

func (c *Client) SetMaxRetries(retries int)

SetMaxRetries sets the number of retries that will be used in the case of certain errors

func (*Client) SetPolicyOverride added in v0.9.0

func (c *Client) SetPolicyOverride(override bool)

SetPolicyOverride sets whether requests should be sent with the policy override flag to request overriding soft-mandatory Sentinel policies (both RGPs and EGPs)

func (*Client) SetToken

func (c *Client) SetToken(v string)

SetToken sets the token directly. This won't perform any auth verification, it simply sets the token properly for future requests.

func (*Client) SetWrappingLookupFunc added in v0.6.0

func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc)

SetWrappingLookupFunc sets a lookup function that returns desired wrap TTLs for a given operation and path

func (*Client) Sys

func (c *Client) Sys() *Sys

Sys is used to return the client for sys-related API calls.

func (*Client) Token

func (c *Client) Token() string

Token returns the access token being used by this client. It will return the empty string if there is no token set.

type Config

type Config struct {

	// Address is the address of the Vault server. This should be a complete
	// URL such as "http://vault.example.com". If you need a custom SSL
	// cert or want to enable insecure mode, you need to specify a custom
	// HttpClient.
	Address string

	// HttpClient is the HTTP client to use. Vault sets sane defaults for the
	// http.Client and its associated http.Transport created in DefaultConfig.
	// If you must modify Vault's defaults, it is suggested that you start with
	// that client and modify as needed rather than start with an empty client
	// (or http.DefaultClient).
	HttpClient *http.Client

	// MaxRetries controls the maximum number of times to retry when a 5xx
	// error occurs. Set to 0 to disable retrying. Defaults to 2 (for a total
	// of three tries).
	MaxRetries int

	// Timeout is for setting custom timeout parameter in the HttpClient
	Timeout time.Duration

	// If there is an error when creating the configuration, this will be the
	// error
	Error error

	// The Backoff function to use; a default is used if not provided
	Backoff retryablehttp.Backoff

	// Limiter is the rate limiter used by the client.
	// If this pointer is nil, then there will be no limit set.
	// In contrast, if this pointer is set, even to an empty struct,
	// then that limiter will be used. Note that an empty Limiter
	// is equivalent blocking all events.
	Limiter *rate.Limiter
	// contains filtered or unexported fields
}

Config is used to configure the creation of the client.

func DefaultConfig

func DefaultConfig() *Config

DefaultConfig returns a default configuration for the client. It is safe to modify the return value of this function.

The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `VAULT_ADDR` environment variable.

If an error is encountered, this will return nil.

func (*Config) ConfigureTLS added in v0.6.1

func (c *Config) ConfigureTLS(t *TLSConfig) error

ConfigureTLS takes a set of TLS configurations and applies those to the the HTTP client.

func (*Config) ReadEnvironment added in v0.4.0

func (c *Config) ReadEnvironment() error

ReadEnvironment reads configuration information from the environment. If there is an error, no configuration value is updated.

type DeregisterPluginInput added in v0.10.0

type DeregisterPluginInput struct {
	// Name is the name of the plugin. Required.
	Name string `json:"-"`
}

DeregisterPluginInput is used as input to the DeregisterPlugin function.

type EnableAuditOptions added in v0.7.0

type EnableAuditOptions struct {
	Type        string            `json:"type"`
	Description string            `json:"description"`
	Options     map[string]string `json:"options"`
	Local       bool              `json:"local"`
}

type EnableAuthOptions added in v0.7.0

type EnableAuthOptions struct {
	Type        string            `json:"type"`
	Description string            `json:"description"`
	Config      AuthConfigInput   `json:"config"`
	Local       bool              `json:"local"`
	PluginName  string            `json:"plugin_name,omitempty"`
	SealWrap    bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
	Options     map[string]string `json:"options" mapstructure:"options"`
}

type ErrorResponse

type ErrorResponse struct {
	Errors []string
}

ErrorResponse is the raw structure of errors when they're returned by the HTTP API.

type GenerateRootStatusResponse added in v0.5.0

type GenerateRootStatusResponse struct {
	Nonce            string `json:"nonce"`
	Started          bool   `json:"started"`
	Progress         int    `json:"progress"`
	Required         int    `json:"required"`
	Complete         bool   `json:"complete"`
	EncodedToken     string `json:"encoded_token"`
	EncodedRootToken string `json:"encoded_root_token"`
	PGPFingerprint   string `json:"pgp_fingerprint"`
}

type GetPluginInput added in v0.10.0

type GetPluginInput struct {
	Name string `json:"-"`
}

GetPluginInput is used as input to the GetPlugin function.

type GetPluginResponse added in v0.10.0

type GetPluginResponse struct {
	Args    []string `json:"args"`
	Builtin bool     `json:"builtin"`
	Command string   `json:"command"`
	Name    string   `json:"name"`
	SHA256  string   `json:"sha256"`
}

GetPluginResponse is the response from the GetPlugin call.

type HealthResponse added in v0.7.3

type HealthResponse struct {
	Initialized                bool   `json:"initialized"`
	Sealed                     bool   `json:"sealed"`
	Standby                    bool   `json:"standby"`
	ReplicationPerformanceMode string `json:"replication_performance_mode"`
	ReplicationDRMode          string `json:"replication_dr_mode"`
	ServerTimeUTC              int64  `json:"server_time_utc"`
	Version                    string `json:"version"`
	ClusterName                string `json:"cluster_name,omitempty"`
	ClusterID                  string `json:"cluster_id,omitempty"`
}

type Help

type Help struct {
	Help    string   `json:"help"`
	SeeAlso []string `json:"see_also"`
}

type InitRequest

type InitRequest struct {
	SecretShares      int      `json:"secret_shares"`
	SecretThreshold   int      `json:"secret_threshold"`
	StoredShares      int      `json:"stored_shares"`
	PGPKeys           []string `json:"pgp_keys"`
	RecoveryShares    int      `json:"recovery_shares"`
	RecoveryThreshold int      `json:"recovery_threshold"`
	RecoveryPGPKeys   []string `json:"recovery_pgp_keys"`
	RootTokenPGPKey   string   `json:"root_token_pgp_key"`
}

type InitResponse

type InitResponse struct {
	Keys            []string `json:"keys"`
	KeysB64         []string `json:"keys_base64"`
	RecoveryKeys    []string `json:"recovery_keys"`
	RecoveryKeysB64 []string `json:"recovery_keys_base64"`
	RootToken       string   `json:"root_token"`
}

type InitStatusResponse

type InitStatusResponse struct {
	Initialized bool
}

type KeyStatus added in v0.2.0

type KeyStatus struct {
	Term        int       `json:"term"`
	InstallTime time.Time `json:"install_time"`
}

type LeaderResponse

type LeaderResponse struct {
	HAEnabled            bool   `json:"ha_enabled"`
	IsSelf               bool   `json:"is_self"`
	LeaderAddress        string `json:"leader_address"`
	LeaderClusterAddress string `json:"leader_cluster_address"`
}

type ListPluginsInput added in v0.10.0

type ListPluginsInput struct{}

ListPluginsInput is used as input to the ListPlugins function.

type ListPluginsResponse added in v0.10.0

type ListPluginsResponse struct {
	// Names is the list of names of the plugins.
	Names []string
}

ListPluginsResponse is the response from the ListPlugins call.

type Logical

type Logical struct {
	// contains filtered or unexported fields
}

Logical is used to perform logical backend operations on Vault.

func (*Logical) Delete

func (c *Logical) Delete(path string) (*Secret, error)

func (*Logical) List added in v0.5.0

func (c *Logical) List(path string) (*Secret, error)

func (*Logical) Read

func (c *Logical) Read(path string) (*Secret, error)

func (*Logical) Unwrap added in v0.6.0

func (c *Logical) Unwrap(wrappingToken string) (*Secret, error)

func (*Logical) Write

func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error)

type MountConfigInput added in v0.3.0

type MountConfigInput struct {
	Options                   map[string]string `json:"options" mapstructure:"options"`
	DefaultLeaseTTL           string            `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL               string            `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	ForceNoCache              bool              `json:"force_no_cache" mapstructure:"force_no_cache"`
	PluginName                string            `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
	AuditNonHMACRequestKeys   []string          `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
	AuditNonHMACResponseKeys  []string          `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
	ListingVisibility         string            `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
	PassthroughRequestHeaders []string          `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
}

type MountConfigOutput added in v0.3.0

type MountConfigOutput struct {
	DefaultLeaseTTL           int      `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL               int      `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	ForceNoCache              bool     `json:"force_no_cache" mapstructure:"force_no_cache"`
	PluginName                string   `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
	AuditNonHMACRequestKeys   []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
	AuditNonHMACResponseKeys  []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
	ListingVisibility         string   `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
	PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
}

type MountInput added in v0.3.0

type MountInput struct {
	Type        string            `json:"type"`
	Description string            `json:"description"`
	Config      MountConfigInput  `json:"config"`
	Options     map[string]string `json:"options"`
	Local       bool              `json:"local"`
	PluginName  string            `json:"plugin_name,omitempty"`
	SealWrap    bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
}

type MountOutput added in v0.3.0

type MountOutput struct {
	Type        string            `json:"type"`
	Description string            `json:"description"`
	Accessor    string            `json:"accessor"`
	Config      MountConfigOutput `json:"config"`
	Options     map[string]string `json:"options"`
	Local       bool              `json:"local"`
	SealWrap    bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
}

type RegisterPluginInput added in v0.10.0

type RegisterPluginInput struct {
	// Name is the name of the plugin. Required.
	Name string `json:"-"`

	// Args is the list of args to spawn the process with.
	Args []string `json:"args,omitempty"`

	// Command is the command to run.
	Command string `json:"command,omitempty"`

	// SHA256 is the shasum of the plugin.
	SHA256 string `json:"sha256,omitempty"`
}

RegisterPluginInput is used as input to the RegisterPlugin function.

type RekeyInitRequest added in v0.2.0

type RekeyInitRequest struct {
	SecretShares        int      `json:"secret_shares"`
	SecretThreshold     int      `json:"secret_threshold"`
	StoredShares        int      `json:"stored_shares"`
	PGPKeys             []string `json:"pgp_keys"`
	Backup              bool
	RequireVerification bool `json:"require_verification"`
}

type RekeyRetrieveResponse added in v0.5.0

type RekeyRetrieveResponse struct {
	Nonce   string              `json:"nonce"`
	Keys    map[string][]string `json:"keys"`
	KeysB64 map[string][]string `json:"keys_base64"`
}

type RekeyStatusResponse added in v0.2.0

type RekeyStatusResponse struct {
	Nonce                string   `json:"nonce"`
	Started              bool     `json:"started"`
	T                    int      `json:"t"`
	N                    int      `json:"n"`
	Progress             int      `json:"progress"`
	Required             int      `json:"required"`
	PGPFingerprints      []string `json:"pgp_fingerprints"`
	Backup               bool     `json:"backup"`
	VerificationRequired bool     `json:"verification_required"`
	VerificationNonce    string   `json:"verification_nonce"`
}

type RekeyUpdateResponse added in v0.2.0

type RekeyUpdateResponse struct {
	Nonce                string   `json:"nonce"`
	Complete             bool     `json:"complete"`
	Keys                 []string `json:"keys"`
	KeysB64              []string `json:"keys_base64"`
	PGPFingerprints      []string `json:"pgp_fingerprints"`
	Backup               bool     `json:"backup"`
	VerificationRequired bool     `json:"verification_required"`
	VerificationNonce    string   `json:"verification_nonce,omitempty"`
}

type RekeyVerificationStatusResponse added in v0.10.2

type RekeyVerificationStatusResponse struct {
	Nonce    string `json:"nonce"`
	Started  bool   `json:"started"`
	T        int    `json:"t"`
	N        int    `json:"n"`
	Progress int    `json:"progress"`
}

type RekeyVerificationUpdateResponse added in v0.10.2

type RekeyVerificationUpdateResponse struct {
	Nonce    string `json:"nonce"`
	Complete bool   `json:"complete"`
}

type RenewOutput added in v0.8.0

type RenewOutput struct {
	// RenewedAt is the timestamp when the renewal took place (UTC).
	RenewedAt