github.com/google/osv-scalibr@v0.4.1/veles/secrets/hashicorpvault/hashicorpvault.go

github.com/google/osv-scalibr@v0.4.1/veles/secrets/hashicorpvault/hashicorpvault.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package hashicorpvault contains Veles Secret types and Detectors for HashiCorp Vault credentials.
    16  package hashicorpvault
    17  
    18  import (
    19  	"regexp"
    20  	"strings"
    21  )
    22  
    23  // Token is a Veles Secret that holds relevant information for a HashiCorp Vault token.
    24  // Vault tokens are used to authenticate to Vault instances and access secrets.
    25  type Token struct {
    26  	Token string
    27  }
    28  
    29  // AppRoleCredentials is a Veles Secret that holds relevant information for HashiCorp Vault AppRole credentials.
    30  // AppRole credentials consist of a role-id and secret-id pair used for authentication.
    31  type AppRoleCredentials struct {
    32  	RoleID   string
    33  	SecretID string
    34  	ID       string // General ID field for uncertain UUID types when context is unclear
    35  }
    36  
    37  // uuidPattern matches UUID v4 format commonly used for AppRole credentials
    38  var uuidPattern = regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`)
    39  
    40  // isVaultToken checks if the given string is a valid Vault token format.
    41  // Supports both older prefixes (s., b., r.) and newer prefixes (hvs., hvb.).
    42  func isVaultToken(token string) bool {
    43  	return strings.HasPrefix(token, "hvs.") || strings.HasPrefix(token, "hvb.") ||
    44  		strings.HasPrefix(token, "s.") || strings.HasPrefix(token, "b.") || strings.HasPrefix(token, "r.")
    45  }
    46  
    47  // isUUID checks if the given string matches UUID v4 format.
    48  func isUUID(s string) bool {
    49  	return uuidPattern.MatchString(s)
    50  }
    51  
    52  // isAppRoleCredential checks if the given string could be an AppRole credential (UUID format).
    53  func isAppRoleCredential(s string) bool {
    54  	return isUUID(s)
    55  }