github.com/blend/go-sdk@v1.20220411.3/vault/types.go (about) 1 /* 2 3 Copyright (c) 2022 - Present. Blend Labs, Inc. All rights reserved 4 Use of this source code is governed by a MIT license that can be found in the LICENSE file. 5 6 */ 7 8 package vault 9 10 import "time" 11 12 // Values is a bag of values. 13 type Values = map[string]interface{} 14 15 // SecretV1 is the structure returned for every secret within Vault. 16 type SecretV1 struct { 17 // The request ID that generated this response 18 RequestID string `json:"request_id"` 19 LeaseID string `json:"lease_id"` 20 LeaseDuration int `json:"lease_duration"` 21 Renewable bool `json:"renewable"` 22 // Data is the actual contents of the secret. The format of the data 23 // is arbitrary and up to the secret backend. 24 Data Values `json:"data"` 25 // Warnings contains any warnings related to the operation. These 26 // are not issues that caused the command to fail, but that the 27 // client should be aware of. 28 Warnings []string `json:"warnings"` 29 // Auth, if non-nil, means that there was authentication information 30 // attached to this response. 31 Auth *SecretAuth `json:"auth,omitempty"` 32 // WrapInfo, if non-nil, means that the initial response was wrapped in the 33 // cubbyhole of the given token (which has a TTL of the given number of 34 // seconds) 35 WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"` 36 } 37 38 // SecretListV1 is the structure returned for a list of secret keys in vault 39 type SecretListV1 struct { 40 // The request ID that generated this response 41 RequestID string `json:"request_id"` 42 LeaseID string `json:"lease_id"` 43 LeaseDuration int `json:"lease_duration"` 44 Renewable bool `json:"renewable"` 45 // Data is the list of keys and subfolders at this path. Subfolders end with a slash, keys do not 46 Data KeyData `json:"data"` 47 // Warnings contains any warnings related to the operation. These 48 // are not issues that caused the command to fail, but that the 49 // client should be aware of. 50 Warnings []string `json:"warnings"` 51 // Auth, if non-nil, means that there was authentication information 52 // attached to this response. 53 Auth *SecretAuth `json:"auth,omitempty"` 54 // WrapInfo, if non-nil, means that the initial response was wrapped in the 55 // cubbyhole of the given token (which has a TTL of the given number of 56 // seconds) 57 WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"` 58 } 59 60 // SecretV2 is the structure returned for every secret within Vault. 61 type SecretV2 struct { 62 // The request ID that generated this response 63 RequestID string `json:"request_id"` 64 LeaseID string `json:"lease_id"` 65 LeaseDuration int `json:"lease_duration"` 66 Renewable bool `json:"renewable"` 67 // Data is the actual contents of the secret. The format of the data 68 // is arbitrary and up to the secret backend. 69 Data SecretData `json:"data"` 70 // Warnings contains any warnings related to the operation. These 71 // are not issues that caused the command to fail, but that the 72 // client should be aware of. 73 Warnings []string `json:"warnings"` 74 // Auth, if non-nil, means that there was authentication information 75 // attached to this response. 76 Auth *SecretAuth `json:"auth,omitempty"` 77 // WrapInfo, if non-nil, means that the initial response was wrapped in the 78 // cubbyhole of the given token (which has a TTL of the given number of 79 // seconds) 80 WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"` 81 } 82 83 // SecretListV2 is the structure returned for every secret within Vault. 84 type SecretListV2 struct { 85 // The request ID that generated this response 86 RequestID string `json:"request_id"` 87 LeaseID string `json:"lease_id"` 88 LeaseDuration int `json:"lease_duration"` 89 Renewable bool `json:"renewable"` 90 // Data is the list of keys and subfolders at this path. Subfolders end with a slash, keys do not 91 Data KeyData `json:"data"` 92 // Warnings contains any warnings related to the operation. These 93 // are not issues that caused the command to fail, but that the 94 // client should be aware of. 95 Warnings []string `json:"warnings"` 96 // Auth, if non-nil, means that there was authentication information 97 // attached to this response. 98 Auth *SecretAuth `json:"auth,omitempty"` 99 // WrapInfo, if non-nil, means that the initial response was wrapped in the 100 // cubbyhole of the given token (which has a TTL of the given number of 101 // seconds) 102 WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"` 103 } 104 105 // TransitKey is the structure returned for every transit key within Vault. 106 type TransitKey struct { 107 // The request ID that generated this response 108 RequestID string `json:"request_id"` 109 LeaseID string `json:"lease_id"` 110 LeaseDuration int `json:"lease_duration"` 111 Renewable bool `json:"renewable"` 112 // Data is the data associated with a transit key 113 Data map[string]interface{} `json:"data"` 114 // Warnings contains any warnings related to the operation. These 115 // are not issues that caused the command to fail, but that the 116 // client should be aware of. 117 Warnings []string `json:"warnings"` 118 // Auth, if non-nil, means that there was authentication information 119 // attached to this response. 120 Auth *SecretAuth `json:"auth,omitempty"` 121 // WrapInfo, if non-nil, means that the initial response was wrapped in the 122 // cubbyhole of the given token (which has a TTL of the given number of 123 // seconds) 124 WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"` 125 } 126 127 // SecretData is used for puts. 128 type SecretData struct { 129 Data Values `json:"data"` 130 } 131 132 // KeyData is used for lists. 133 type KeyData struct { 134 Keys []string `json:"keys"` 135 } 136 137 // SecretAuth is the structure containing auth information if we have it. 138 type SecretAuth struct { 139 ClientToken string `json:"client_token"` 140 Accessor string `json:"accessor"` 141 Policies []string `json:"policies"` 142 Metadata map[string]string `json:"metadata"` 143 LeaseDuration int `json:"lease_duration"` 144 Renewable bool `json:"renewable"` 145 } 146 147 // SecretWrapInfo contains wrapping information if we have it. If what is 148 // contained is an authentication token, the accessor for the token will be 149 // available in WrappedAccessor. 150 type SecretWrapInfo struct { 151 Token string `json:"token"` 152 Accessor string `json:"accessor"` 153 TTL int `json:"ttl"` 154 CreationTime time.Time `json:"creation_time"` 155 CreationPath string `json:"creation_path"` 156 WrappedAccessor string `json:"wrapped_accessor"` 157 } 158 159 // MountResponse is the result of a call to a mount. 160 type MountResponse struct { 161 RequestID string `json:"request_id"` 162 Data Mount `json:"data"` 163 } 164 165 // Mount is a vault mount. 166 type Mount struct { 167 Type string `json:"type"` 168 Description string `json:"description"` 169 Accessor string `json:"accessor"` 170 Config MountConfig `json:"config"` 171 Options map[string]string `json:"options"` 172 Local bool `json:"local"` 173 SealWrap bool `json:"seal_wrap" mapstructure:"seal_wrap"` 174 } 175 176 // MountConfig is a vault mount config. 177 type MountConfig struct { 178 DefaultLeaseTTL int `json:"default_lease_ttl" mapstructure:"default_lease_ttl"` 179 MaxLeaseTTL int `json:"max_lease_ttl" mapstructure:"max_lease_ttl"` 180 ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"` 181 PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"` 182 AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"` 183 AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"` 184 ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"` 185 PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"` 186 } 187 188 // MountInput is a vault mount input. 189 type MountInput struct { 190 Type string `json:"type"` 191 Description string `json:"description"` 192 Config MountConfigInput `json:"config"` 193 Options map[string]string `json:"options"` 194 Local bool `json:"local"` 195 PluginName string `json:"plugin_name,omitempty"` 196 SealWrap bool `json:"seal_wrap" mapstructure:"seal_wrap"` 197 } 198 199 // MountConfigInput is a vault mount config input. 200 type MountConfigInput struct { 201 Options map[string]string `json:"options" mapstructure:"options"` 202 DefaultLeaseTTL string `json:"default_lease_ttl" mapstructure:"default_lease_ttl"` 203 MaxLeaseTTL string `json:"max_lease_ttl" mapstructure:"max_lease_ttl"` 204 ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"` 205 PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"` 206 AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"` 207 AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"` 208 ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"` 209 PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"` 210 } 211 212 // BatchTransitInput is the structure of batch encrypt / decrypt requests 213 type BatchTransitInput struct { 214 BatchTransitInputItems []BatchTransitInputItem `json:"batch_input"` 215 } 216 217 // BatchTransitInputItem is a single item in a batch encrypt / decrypt request 218 type BatchTransitInputItem struct { 219 Context []byte `json:"context,omitempty"` 220 Ciphertext string `json:"ciphertext,omitempty"` 221 Plaintext []byte `json:"plaintext,omitempty"` 222 } 223 224 // BatchTransitResult is the structure returned by vault for batch transit requests 225 type BatchTransitResult struct { 226 Data struct { 227 BatchTransitResult []struct { 228 // Error, if set represents a failure encountered while encrypting/decrypting a 229 // corresponding batch request item 230 Error string `json:"error"` 231 Ciphertext string `json:"ciphertext"` 232 Plaintext string `json:"plaintext"` 233 } `json:"batch_results"` 234 } `json:"data"` 235 } 236 237 // TransitResult is the structure returned by vault for transit requests 238 type TransitResult struct { 239 Data struct { 240 Ciphertext string `json:"ciphertext"` 241 Plaintext string `json:"plaintext"` 242 } `json:"data"` 243 } 244 245 // TransitHmacResult is the structure returned by vault for transit hmac requests 246 type TransitHmacResult struct { 247 Data struct { 248 Hmac string `json:"hmac"` 249 } `json:"data"` 250 } 251 252 // CreateTransitKeyConfig is the configuration data for creating a TransitKey 253 type CreateTransitKeyConfig struct { 254 // Convergent - If enabled, the key will support convergent encryption, where the same plaintext creates the same 255 // ciphertext. This requires derived to be set to true. When enabled, each encryption(/decryption/rewrap/datakey) 256 // operation will derive a nonce value rather than randomly generate it. 257 Convergent bool `json:"convergent_encryption,omitempty"` 258 // Derived - Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this named key 259 // must provide a context which is used for key derivation. 260 Derived bool `json:"derived,omitempty"` 261 // Exportable - Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. 262 // Once set, this cannot be disabled. 263 Exportable bool `json:"exportable,omitempty"` 264 // AllowPlaintextBackup - If set, enables taking backup of named key in the plaintext format. Once set, this cannot 265 // be disabled. 266 AllowPlaintextBackup bool `json:"allow_plaintext_backup,omitempty"` 267 // Type specifies the type of key to create. The default type is "aes256-gcm96": 268 // aes256-gcm96 – AES-256 wrapped with GCM using a 96-bit nonce size AEAD (symmetric, supports derivation and 269 // convergent encryption) 270 // chacha20-poly1305 – ChaCha20-Poly1305 AEAD (symmetric, supports derivation and convergent encryption) 271 // ed25519 – ED25519 (asymmetric, supports derivation). When using derivation, a sign operation with the same 272 // context will derive the same key and signature; this is a signing analog to convergent_encryption. 273 // ecdsa-p256 – ECDSA using the P-256 elliptic curve (asymmetric) 274 // rsa-2048 - RSA with bit size of 2048 (asymmetric) 275 // rsa-4096 - RSA with bit size of 4096 (asymmetric) 276 Type string `json:"type,omitempty"` 277 } 278 279 // UpdateTransitKeyConfig is the configuration data for modifying a TransitKey 280 type UpdateTransitKeyConfig struct { 281 // MinDecryptionVersion - Specifies the minimum version of ciphertext allowed to be decrypted. Adjusting this as 282 // part of a key rotation policy can prevent old copies of ciphertext from being decrypted, should they fall into 283 // the wrong hands. For signatures, this value controls the minimum version of signature that can be verified 284 // against. For HMACs, this controls the minimum version of a key allowed to be used as the key for verification. 285 MinDecryptionVersion int `json:"min_decryption_version,omitempty"` 286 // MinEncryptionVersion - Specifies the minimum version of the key that can be used to encrypt plaintext, sign 287 // payloads, or generate HMACs. Must be 0 (which will use the latest version) or a value greater or equal to 288 // min_decryption_version. 289 MinEncryptionVersion int `json:"min_encryption_version,omitempty"` 290 // DeletionAllowed - Specifies if the key is allowed to be deleted. 291 DeletionAllowed *bool `json:"deletion_allowed,omitempty"` 292 // Exportable - Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. 293 // Once set, this cannot be disabled. 294 Exportable bool `json:"exportable,omitempty"` 295 // AllowPlaintextBackup - If set, enables taking backup of named key in the plaintext format. Once set, this cannot 296 // be disabled. 297 AllowPlaintextBackup bool `json:"allow_plaintext_backup,omitempty"` 298 } 299 300 // GitHubAuthResponse is a response for github auth. 301 type GitHubAuthResponse struct { 302 LeaseID string `json:"lease_id,omitempty"` 303 Renewable bool `json:"renewable,omitempty"` 304 LeaseDuration int64 `json:"lease_duration,omitempty"` 305 Data map[string]interface{} `json:"data,omitempty"` 306 Warnings map[string]interface{} `json:"warnings,omitempty"` 307 Auth struct { 308 ClientToken string `json:"client_token,omitempty"` 309 Accessor string `json:"accessor,omitempty"` 310 Policies []string `json:"policies,omitempty"` 311 Metadata struct { 312 Username string `json:"username,omitempty"` 313 Org string `json:"org,omitempty"` 314 } `json:"metadata"` 315 } `json:"auth"` 316 } 317 318 // AWSAuthResponse is a response for github auth. 319 type AWSAuthResponse struct { 320 LeaseID string `json:"lease_id,omitempty"` 321 Renewable bool `json:"renewable,omitempty"` 322 LeaseDuration int64 `json:"lease_duration,omitempty"` 323 Data map[string]interface{} `json:"data,omitempty"` 324 Warnings map[string]interface{} `json:"warnings,omitempty"` 325 Auth struct { 326 ClientToken string `json:"client_token,omitempty"` 327 Accessor string `json:"accessor,omitempty"` 328 Policies []string `json:"policies,omitempty"` 329 Metadata struct { 330 RoleTagMaxTTL string `json:"role_tag_max_ttl,omitempty"` 331 InstanceID string `json:"instance_id,omitempty"` 332 AMIID string `json:"ami_id,omitempty"` 333 Role string `json:"role,omitempty"` 334 AuthType string `json:"auth_type,omitempty"` 335 } `json:"metadata"` 336 } `json:"auth"` 337 Errors []string `json:"errors,omitempty"` 338 }