github.com/juju/juju@v0.0.0-20240430160146-1752b71fcf00/rpc/params/secrets.go (about) 1 // Copyright 2021 Canonical Ltd. 2 // Licensed under the AGPLv3, see LICENCE file for details. 3 4 package params 5 6 import ( 7 "time" 8 9 "github.com/go-macaroon-bakery/macaroon-bakery/v3/bakery" 10 "github.com/juju/errors" 11 "gopkg.in/macaroon.v2" 12 13 "github.com/juju/juju/core/secrets" 14 ) 15 16 // SecretBackendConfigResultsV1 holds config info for creating 17 // secret backend clients for a specific model. 18 type SecretBackendConfigResultsV1 struct { 19 ControllerUUID string `json:"model-controller"` 20 ModelUUID string `json:"model-uuid"` 21 ModelName string `json:"model-name"` 22 ActiveID string `json:"active-id"` 23 Configs map[string]SecretBackendConfig `json:"configs,omitempty"` 24 } 25 26 // SecretBackendArgs holds args for querying secret backends. 27 type SecretBackendArgs struct { 28 ForDrain bool `json:"for-drain"` 29 BackendIDs []string `json:"backend-ids"` 30 } 31 32 // SecretBackendConfigResults holds config info for creating 33 // secret backend clients for a specific model. 34 type SecretBackendConfigResults struct { 35 ActiveID string `json:"active-id"` 36 Results map[string]SecretBackendConfigResult `json:"results,omitempty"` 37 } 38 39 // SecretBackendConfigResult holds config info for creating 40 // secret backend clients for a specific model. 41 type SecretBackendConfigResult struct { 42 ControllerUUID string `json:"model-controller"` 43 ModelUUID string `json:"model-uuid"` 44 ModelName string `json:"model-name"` 45 Draining bool `json:"draining"` 46 Config SecretBackendConfig `json:"config,omitempty"` 47 } 48 49 // SecretBackendConfig holds config for creating a secret backend client. 50 type SecretBackendConfig struct { 51 BackendType string `json:"type"` 52 Params map[string]interface{} `json:"params,omitempty"` 53 } 54 55 // SecretContentParams holds params for representing the content of a secret. 56 type SecretContentParams struct { 57 // Data is the key values of the secret value itself. 58 Data map[string]string `json:"data,omitempty"` 59 // ValueRef is the content reference for when a secret 60 // backend like vault is used. 61 ValueRef *SecretValueRef `json:"value-ref,omitempty"` 62 } 63 64 // UpsertSecretArg holds the args for creating or updating a secret. 65 type UpsertSecretArg struct { 66 // RotatePolicy is how often a secret should be rotated. 67 RotatePolicy *secrets.RotatePolicy `json:"rotate-policy,omitempty"` 68 // ExpireTime is when a secret should expire. 69 ExpireTime *time.Time `json:"expire-time,omitempty"` 70 // Description represents the secret's description. 71 Description *string `json:"description,omitempty"` 72 // Tags are the secret tags. 73 Label *string `json:"label,omitempty"` 74 // Params are used when generating secrets server side. 75 // See core/secrets/secret.go. 76 Params map[string]interface{} `json:"params,omitempty"` 77 // Data is the key values of the secret value itself. 78 Content SecretContentParams `json:"content,omitempty"` 79 } 80 81 // CreateSecretURIsArg holds args for creating secret URIs. 82 type CreateSecretURIsArg struct { 83 Count int `json:"count"` 84 } 85 86 // CreateSecretArgs holds args for creating secrets. 87 type CreateSecretArgs struct { 88 Args []CreateSecretArg `json:"args"` 89 } 90 91 // CreateSecretArg holds the args for creating a secret. 92 type CreateSecretArg struct { 93 UpsertSecretArg 94 95 // URI identifies the secret to create. 96 // If empty, the controller generates a URI. 97 URI *string `json:"uri,omitempty"` 98 // OwnerTag is the owner of the secret. 99 OwnerTag string `json:"owner-tag"` 100 } 101 102 // UpdateSecretArgs holds args for updating secrets. 103 type UpdateSecretArgs struct { 104 Args []UpdateSecretArg `json:"args"` 105 } 106 107 // UpdateSecretArg holds the args for updating a secret. 108 type UpdateSecretArg struct { 109 UpsertSecretArg 110 111 // URI identifies the secret to update. 112 URI string `json:"uri"` 113 } 114 115 // UpdateUserSecretArgs holds args for updating user secrets. 116 type UpdateUserSecretArgs struct { 117 Args []UpdateUserSecretArg `json:"args"` 118 } 119 120 // UpdateUserSecretArg holds the args for updating a user secret. 121 type UpdateUserSecretArg struct { 122 UpsertSecretArg 123 124 // Either URI or ExistingLabel is required. 125 126 // URI identifies the secret to update. 127 URI string `json:"uri"` 128 129 // ExistingLabel is the label of an existing secret. 130 ExistingLabel string `json:"existing-label"` 131 132 // AutoPrune indicates whether the staled secret revisions should be pruned automatically. 133 AutoPrune *bool `json:"auto-prune,omitempty"` 134 } 135 136 // Validate validates the UpdateUserSecretArg. 137 func (arg UpdateUserSecretArg) Validate() error { 138 if arg.AutoPrune == nil && arg.Description == nil && arg.Label == nil && len(arg.Content.Data) == 0 { 139 return errors.New("at least one attribute to update must be specified") 140 } 141 if arg.URI == "" && arg.ExistingLabel == "" { 142 return errors.New("must specify either URI or label") 143 } 144 if arg.URI != "" && arg.ExistingLabel != "" { 145 return errors.New("must specify either URI or label but not both") 146 } 147 return nil 148 } 149 150 // DeleteSecretArgs holds args for deleting secrets. 151 type DeleteSecretArgs struct { 152 Args []DeleteSecretArg `json:"args"` 153 } 154 155 // DeleteSecretArg holds the args for deleting a secret. 156 type DeleteSecretArg struct { 157 // Either URI or Label is required. 158 159 URI string `json:"uri"` 160 Label string `json:"label"` 161 Revisions []int `json:"revisions,omitempty"` 162 } 163 164 // SecretRevisionArg holds the args for secret revisions. 165 type SecretRevisionArg struct { 166 URI string `json:"uri"` 167 Revisions []int `json:"revisions"` 168 PendingDelete bool `json:"pending-delete"` 169 } 170 171 // GetSecretConsumerInfoArgs holds the args for getting secret 172 // consumer metadata. 173 type GetSecretConsumerInfoArgs struct { 174 ConsumerTag string `json:"consumer-tag"` 175 URIs []string `json:"uris"` 176 } 177 178 // SecretConsumerInfoResults holds secret value results. 179 type SecretConsumerInfoResults struct { 180 Results []SecretConsumerInfoResult `json:"results"` 181 } 182 183 // SecretConsumerInfoResult is the result of getting a secret value. 184 type SecretConsumerInfoResult struct { 185 Revision int `json:"revision"` 186 Label string `json:"label"` 187 Error *Error `json:"error,omitempty"` 188 } 189 190 // GetSecretContentArgs holds the args for getting secret values. 191 type GetSecretContentArgs struct { 192 Args []GetSecretContentArg `json:"args"` 193 } 194 195 // GetSecretContentArg holds the args for getting a secret value. 196 type GetSecretContentArg struct { 197 URI string `json:"uri"` 198 Label string `json:"label,omitempty"` 199 Refresh bool `json:"refresh,omitempty"` 200 Peek bool `json:"peek,omitempty"` 201 } 202 203 // ChangeSecretBackendArgs holds a slice of args for updating secret backend IDs. 204 type ChangeSecretBackendArgs struct { 205 Args []ChangeSecretBackendArg `json:"args"` 206 } 207 208 // ChangeSecretBackendArg holds the arg for updating a secret backend for a secret. 209 // It holds the secret contents as well if the new backend is the internal backend. 210 type ChangeSecretBackendArg struct { 211 URI string `json:"uri"` 212 Revision int `json:"revision"` 213 Content SecretContentParams `json:"content,omitempty"` 214 } 215 216 // SecretContentResults holds secret value results. 217 type SecretContentResults struct { 218 Results []SecretContentResult `json:"results"` 219 } 220 221 // SecretContentResult is the result of getting secret content. 222 type SecretContentResult struct { 223 Content SecretContentParams `json:"content"` 224 BackendConfig *SecretBackendConfigResult `json:"backend-config,omitempty"` 225 LatestRevision *int `json:"latest-revision,omitempty"` 226 Error *Error `json:"error,omitempty"` 227 } 228 229 // SecretValueResult is the result of getting a secret value. 230 type SecretValueResult struct { 231 Data map[string]string `json:"data,omitempty"` 232 Error *Error `json:"error,omitempty"` 233 } 234 235 // SecretsFilter is used when querying secrets. 236 type SecretsFilter struct { 237 URI *string `json:"uri,omitempty"` 238 Label *string `json:"label,omitempty"` 239 Revision *int `json:"revision,omitempty"` 240 OwnerTag *string `json:"owner-tag,omitempty"` 241 } 242 243 // ListSecretsArgs holds the args for listing secrets. 244 type ListSecretsArgs struct { 245 ShowSecrets bool `json:"show-secrets"` 246 Filter SecretsFilter `json:"filter"` 247 } 248 249 // ListSecretResults holds secret metadata results. 250 type ListSecretResults struct { 251 Results []ListSecretResult `json:"results"` 252 } 253 254 // SecretValueRef holds a reference to a secret 255 // value in a secret backend. 256 type SecretValueRef struct { 257 BackendID string `json:"backend-id"` 258 RevisionID string `json:"revision-id"` 259 } 260 261 // SecretRevision holds secret revision metadata. 262 type SecretRevision struct { 263 Revision int `json:"revision"` 264 ValueRef *SecretValueRef `json:"value-ref,omitempty"` 265 BackendName *string `json:"backend-name,omitempty"` 266 CreateTime time.Time `json:"create-time,omitempty"` 267 UpdateTime time.Time `json:"update-time,omitempty"` 268 ExpireTime *time.Time `json:"expire-time,omitempty"` 269 } 270 271 // ListSecretResult is the result of getting secret metadata. 272 type ListSecretResult struct { 273 URI string `json:"uri"` 274 Version int `json:"version"` 275 OwnerTag string `json:"owner-tag"` 276 RotatePolicy string `json:"rotate-policy,omitempty"` 277 NextRotateTime *time.Time `json:"next-rotate-time,omitempty"` 278 Description string `json:"description,omitempty"` 279 Label string `json:"label,omitempty"` 280 LatestRevision int `json:"latest-revision"` 281 LatestExpireTime *time.Time `json:"latest-expire-time,omitempty"` 282 CreateTime time.Time `json:"create-time"` 283 UpdateTime time.Time `json:"update-time"` 284 Revisions []SecretRevision `json:"revisions"` 285 Value *SecretValueResult `json:"value,omitempty"` 286 Access []AccessInfo `json:"access,omitempty"` 287 } 288 289 // AccessInfo holds info about a secret access information. 290 type AccessInfo struct { 291 TargetTag string `json:"target-tag"` 292 ScopeTag string `json:"scope-tag"` 293 Role secrets.SecretRole `json:"role"` 294 } 295 296 // SecretTriggerChange describes a change to a secret trigger. 297 type SecretTriggerChange struct { 298 URI string `json:"uri"` 299 Revision int `json:"revision,omitempty"` 300 NextTriggerTime time.Time `json:"next-trigger-time"` 301 } 302 303 // SecretTriggerWatchResult holds secret trigger change events. 304 type SecretTriggerWatchResult struct { 305 WatcherId string `json:"watcher-id"` 306 Changes []SecretTriggerChange `json:"changes"` 307 Error *Error `json:"error,omitempty"` 308 } 309 310 // SecretRotatedArgs holds the args for updating rotated secret info. 311 type SecretRotatedArgs struct { 312 Args []SecretRotatedArg `json:"args"` 313 } 314 315 // SecretRotatedArg holds the args for updating rotated secret info. 316 type SecretRotatedArg struct { 317 URI string `json:"uri"` 318 OriginalRevision int `json:"original-revision"` 319 Skip bool `json:"skip"` 320 } 321 322 // GrantRevokeSecretArgs holds args for changing access to secrets. 323 type GrantRevokeSecretArgs struct { 324 Args []GrantRevokeSecretArg `json:"args"` 325 } 326 327 // GrantRevokeSecretArg holds the args for changing access to a secret. 328 type GrantRevokeSecretArg struct { 329 // URI identifies the secret to grant. 330 URI string `json:"uri"` 331 332 // ScopeTag is defines the entity to which the access is scoped. 333 ScopeTag string `json:"scope-tag"` 334 335 // SubjectTags are the target tag of the secret grant/revoke request. 336 // TODO: rename this field to TargetTags and bump facade version. 337 SubjectTags []string `json:"subject-tags"` 338 339 // Role is the role being granted. 340 Role string `json:"role"` 341 } 342 343 // GrantRevokeUserSecretArg holds the args for changing access to a user secret. 344 type GrantRevokeUserSecretArg struct { 345 // Either URI or Label is required. 346 347 // URI identifies the secret to grant. 348 URI string `json:"uri"` 349 // Label identifies the secret to grant. 350 Label string `json:"label"` 351 352 Applications []string `json:"applications"` 353 } 354 355 // ListSecretBackendsResults holds secret backend results. 356 type ListSecretBackendsResults struct { 357 Results []SecretBackendResult `json:"results"` 358 } 359 360 // SecretBackendResult holds a secret backend and related info. 361 type SecretBackendResult struct { 362 Result SecretBackend `json:"result"` 363 // Include the ID so we can report on backends with errors. 364 ID string `json:"id"` 365 NumSecrets int `json:"num-secrets"` 366 Status string `json:"status"` 367 Message string `json:"message,omitempty"` 368 Error *Error `json:"error,omitempty"` 369 } 370 371 // AddSecretBackendArgs holds args for adding secret backends. 372 type AddSecretBackendArgs struct { 373 Args []AddSecretBackendArg `json:"args"` 374 } 375 376 // AddSecretBackendArg holds args for adding a secret backend. 377 type AddSecretBackendArg struct { 378 SecretBackend 379 // Include the ID so we can optionally 380 // import existing backend metadata. 381 ID string `json:"id,omitempty"` 382 } 383 384 // UpdateSecretBackendArgs holds args for updating secret backends. 385 type UpdateSecretBackendArgs struct { 386 Args []UpdateSecretBackendArg `json:"args"` 387 } 388 389 // UpdateSecretBackendArg holds args for updating a secret backend. 390 type UpdateSecretBackendArg struct { 391 // Name is the name of the backend to update. 392 Name string `json:"name"` 393 394 // NameChange if set, renames the backend. 395 NameChange *string `json:"name-change,omitempty"` 396 397 // TokenRotateInterval is the interval to rotate 398 // the backend master access token. 399 TokenRotateInterval *time.Duration `json:"token-rotate-interval"` 400 401 // Config are the backend's updated configuration attributes. 402 Config map[string]interface{} `json:"config"` 403 404 // Reset contains attributes to clear or reset. 405 Reset []string `json:"reset"` 406 407 // Force means to update the backend even if a ping fails. 408 Force bool `json:"force,omitempty"` 409 } 410 411 // ListSecretBackendsArgs holds the args for listing secret backends. 412 type ListSecretBackendsArgs struct { 413 Names []string `json:"names"` 414 Reveal bool `json:"reveal"` 415 } 416 417 // SecretBackend holds secret backend details. 418 type SecretBackend struct { 419 // Name is the name of the backend. 420 Name string `json:"name"` 421 422 // Backend is the backend provider, eg "vault". 423 BackendType string `json:"backend-type"` 424 425 // TokenRotateInterval is the interval to rotate 426 // the backend master access token. 427 TokenRotateInterval *time.Duration `json:"token-rotate-interval,omitempty"` 428 429 // Config are the backend's configuration attributes. 430 Config map[string]interface{} `json:"config"` 431 } 432 433 // RemoveSecretBackendArgs holds args for removing secret backends. 434 type RemoveSecretBackendArgs struct { 435 Args []RemoveSecretBackendArg `json:"args"` 436 } 437 438 // RemoveSecretBackendArg holds args for removing a secret backend. 439 type RemoveSecretBackendArg struct { 440 Name string `json:"name"` 441 Force bool `json:"force,omitempty"` 442 } 443 444 // RotateSecretBackendArgs holds the args for updating rotated secret backend info. 445 type RotateSecretBackendArgs struct { 446 BackendIDs []string `json:"backend-ids"` 447 } 448 449 // SecretBackendRotateChange describes a change to a secret backend rotation. 450 type SecretBackendRotateChange struct { 451 ID string `json:"id"` 452 Name string `json:"backend-name"` 453 NextTriggerTime time.Time `json:"next-trigger-time"` 454 } 455 456 // SecretBackendRotateWatchResult holds secret backend rotate change events. 457 type SecretBackendRotateWatchResult struct { 458 WatcherId string `json:"watcher-id"` 459 Changes []SecretBackendRotateChange `json:"changes"` 460 Error *Error `json:"error,omitempty"` 461 } 462 463 // GetRemoteSecretContentArgs holds args for fetching remote secret contents. 464 type GetRemoteSecretContentArgs struct { 465 Args []GetRemoteSecretContentArg `json:"relations"` 466 } 467 468 // GetRemoteSecretContentArg holds ares for fetching a remote secret. 469 type GetRemoteSecretContentArg struct { 470 // SourceControllerUUID is the UUID of the controller making this API call. 471 SourceControllerUUID string `json:"source-controller-uuid"` 472 473 // ApplicationToken is the application token on the remote model. 474 ApplicationToken string `json:"application-token"` 475 476 // UnitId uniquely identifies the remote unit. 477 UnitId int `json:"unit-id"` 478 479 // Revision, if specified, is the secret revision to fetch. 480 Revision *int `json:"revision,omitempty"` 481 482 // Macaroons are used for authentication. 483 Macaroons macaroon.Slice `json:"macaroons,omitempty"` 484 485 // BakeryVersion is the version of the bakery used to mint macaroons. 486 BakeryVersion bakery.Version `json:"bakery-version,omitempty"` 487 488 // URI is the secret URI. 489 URI string `json:"uri"` 490 491 // Refresh is true if the latest revision should be used from here on. 492 Refresh bool `json:"refresh,omitempty"` 493 494 // Peek is true if we want the latest revision just this once. 495 Peek bool `json:"peek,omitempty"` 496 } 497 498 // GetRemoteSecretAccessArgs holds args for fetching info 499 // about access to a remote secret. 500 type GetRemoteSecretAccessArgs struct { 501 Args []GetRemoteSecretAccessArg `json:"relations"` 502 } 503 504 // GetRemoteSecretAccessArg holds args for fetching info 505 // about access to a remote secret. 506 type GetRemoteSecretAccessArg struct { 507 // ApplicationToken is the application token on the remote model. 508 ApplicationToken string `json:"application-token"` 509 510 // UnitId uniquely identifies the remote unit. 511 UnitId int `json:"unit-id"` 512 513 // URI is the secret URI. 514 URI string `json:"uri"` 515 } 516 517 // WatchRemoteSecretChangesArgs holds args for watching 518 // changes to a remote secret. 519 type WatchRemoteSecretChangesArgs struct { 520 Args []WatchRemoteSecretChangesArg `json:"relations"` 521 } 522 523 // WatchRemoteSecretChangesArg holds info for watching 524 // changes to a remote secret. 525 type WatchRemoteSecretChangesArg struct { 526 // ApplicationToken is the application token on the remote model. 527 ApplicationToken string `json:"application-token"` 528 529 // RelationToken is the relation token on the remote model. 530 RelationToken string `json:"relation-token"` 531 532 // Macaroons are used for authentication. 533 Macaroons macaroon.Slice `json:"macaroons,omitempty"` 534 535 // BakeryVersion is the version of the bakery used to mint macaroons. 536 BakeryVersion bakery.Version `json:"bakery-version,omitempty"` 537 } 538 539 // LatestSecretRevisionChanges holds a collection of secret revision changes 540 // for updating consumers when secrets get new revisions added. 541 type LatestSecretRevisionChanges struct { 542 Changes []SecretRevisionChange `json:"changes"` 543 } 544 545 // SecretRevisionChange describes a secret revision change. 546 type SecretRevisionChange struct { 547 URI string `json:"uri"` 548 Revision int `json:"revision"` 549 } 550 551 // SecretRevisionWatchResult holds a SecretRevisionWatcher id, baseline state 552 // (in the Changes field), and an error (if any). 553 type SecretRevisionWatchResult struct { 554 WatcherId string `json:"watcher-id"` 555 Changes []SecretRevisionChange `json:"changes"` 556 Error *Error `json:"error,omitempty"` 557 } 558 559 // SecretRevisionWatchResults holds the results for any API call which ends up 560 // returning a list of SecretRevisionWatchers. 561 type SecretRevisionWatchResults struct { 562 Results []SecretRevisionWatchResult `json:"results"` 563 }