diff options
Diffstat (limited to 'secrets')
-rw-r--r-- | secrets/client.go | 112 | ||||
-rw-r--r-- | secrets/go.mod | 56 | ||||
-rw-r--r-- | secrets/go.sum | 336 | ||||
-rw-r--r-- | secrets/vault_client.go | 426 |
4 files changed, 930 insertions, 0 deletions
diff --git a/secrets/client.go b/secrets/client.go new file mode 100644 index 0000000..7a1f51b --- /dev/null +++ b/secrets/client.go | |||
@@ -0,0 +1,112 @@ | |||
1 | package secrets | ||
2 | |||
3 | import ( | ||
4 | "context" | ||
5 | "crypto/rsa" | ||
6 | "crypto/x509" | ||
7 | "encoding/base64" | ||
8 | "fmt" | ||
9 | "sync" | ||
10 | "time" | ||
11 | |||
12 | "code.crute.us/mcrute/golib/log" | ||
13 | "code.crute.us/mcrute/golib/service" | ||
14 | ) | ||
15 | |||
16 | type Handle interface { | ||
17 | Reference() string | ||
18 | } | ||
19 | |||
20 | type Renewal struct { | ||
21 | Name string | ||
22 | Critical bool | ||
23 | Time time.Time | ||
24 | Error error | ||
25 | } | ||
26 | |||
27 | type Credential struct { | ||
28 | Username string `json:"username"` | ||
29 | Password string `json:"password"` | ||
30 | } | ||
31 | |||
32 | type ApiKey struct { | ||
33 | Key string `json:"key"` | ||
34 | } | ||
35 | |||
36 | type RSAKey struct { | ||
37 | Key string `json:"key"` | ||
38 | } | ||
39 | |||
40 | func (k *RSAKey) RSAPrivateKey() (*rsa.PrivateKey, error) { | ||
41 | der, err := base64.StdEncoding.DecodeString(k.Key) | ||
42 | if err != nil { | ||
43 | return nil, err | ||
44 | } | ||
45 | |||
46 | pr, err := x509.ParsePKCS8PrivateKey(der) | ||
47 | if err != nil { | ||
48 | return nil, err | ||
49 | } | ||
50 | |||
51 | pk, ok := pr.(*rsa.PrivateKey) | ||
52 | if !ok { | ||
53 | return nil, fmt.Errorf("RSAKey: parsed key is not an rsa.PrivateKey") | ||
54 | } | ||
55 | |||
56 | return pk, nil | ||
57 | } | ||
58 | |||
59 | // Client is the interface that users of secrets returned by a secret | ||
60 | // back-end should expect. This interface contains only secret related | ||
61 | // functionality and none of the functions for running the back-end | ||
62 | // itself. This is separate from the manager functions to make it easier | ||
63 | // to inject stubs to code that doesn't care about the fact that a | ||
64 | // manager may exist. | ||
65 | type Client interface { | ||
66 | DatabaseCredential(context.Context, string) (*Credential, Handle, error) | ||
67 | Secret(context.Context, string, any) (Handle, error) | ||
68 | WriteSecret(context.Context, string, any) error | ||
69 | Destroy(Handle) error | ||
70 | MakeNonCritical(Handle) error | ||
71 | } | ||
72 | |||
73 | // ClientManager is like a Client, and contains a Client, but also | ||
74 | // contains other runtime functionality for running the secret back-end | ||
75 | // infrastructure that most consumers of secretes don't care about but | ||
76 | // the main process runner does. | ||
77 | type ClientManager interface { | ||
78 | Client | ||
79 | Authenticate(context.Context) error | ||
80 | Notifications() <-chan Renewal | ||
81 | Run(context.Context, *sync.WaitGroup) error | ||
82 | } | ||
83 | |||
84 | // MakeRenewalLogger subscribes to a ClientManager notification channel | ||
85 | // and logs those to the logger. If a critical credential fails the | ||
86 | // terminator callback will be called which should shut down the | ||
87 | // application in an orderly fashion. | ||
88 | func MakeRenewalLogger(cm ClientManager, log log.LeveledLogger, terminator func()) service.RunnerFunc { | ||
89 | return func(ctx context.Context, wg *sync.WaitGroup) error { | ||
90 | wg.Add(1) | ||
91 | defer wg.Done() | ||
92 | |||
93 | for { | ||
94 | select { | ||
95 | case r := <-cm.Notifications(): | ||
96 | if r.Error != nil { | ||
97 | if r.Critical { | ||
98 | log.Errorf("Failed to renew critical secret %s due to %s", r.Name, r.Error) | ||
99 | terminator() | ||
100 | } else { | ||
101 | log.Errorf("Failed to renew non-critical secret %s", r.Name) | ||
102 | } | ||
103 | } else { | ||
104 | log.Infof("Renewing credential %s", r.Name) | ||
105 | } | ||
106 | case <-ctx.Done(): | ||
107 | log.Infof("Shutting down secret renewal logger") | ||
108 | return nil | ||
109 | } | ||
110 | } | ||
111 | } | ||
112 | } | ||
diff --git a/secrets/go.mod b/secrets/go.mod new file mode 100644 index 0000000..ca23257 --- /dev/null +++ b/secrets/go.mod | |||
@@ -0,0 +1,56 @@ | |||
1 | module code.crute.us/mcrute/golib/secrets | ||
2 | |||
3 | go 1.18 | ||
4 | |||
5 | require ( | ||
6 | code.crute.us/mcrute/golib v0.4.0 | ||
7 | github.com/hashicorp/vault/api v1.8.0 | ||
8 | github.com/hashicorp/vault/api/auth/approle v0.3.0 | ||
9 | github.com/mitchellh/mapstructure v1.5.0 | ||
10 | ) | ||
11 | |||
12 | require ( | ||
13 | github.com/armon/go-metrics v0.3.9 // indirect | ||
14 | github.com/armon/go-radix v1.0.0 // indirect | ||
15 | github.com/cenkalti/backoff/v3 v3.0.0 // indirect | ||
16 | github.com/fatih/color v1.7.0 // indirect | ||
17 | github.com/golang/protobuf v1.5.2 // indirect | ||
18 | github.com/golang/snappy v0.0.4 // indirect | ||
19 | github.com/hashicorp/errwrap v1.1.0 // indirect | ||
20 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect | ||
21 | github.com/hashicorp/go-hclog v0.16.2 // indirect | ||
22 | github.com/hashicorp/go-immutable-radix v1.3.1 // indirect | ||
23 | github.com/hashicorp/go-multierror v1.1.1 // indirect | ||
24 | github.com/hashicorp/go-plugin v1.4.3 // indirect | ||
25 | github.com/hashicorp/go-retryablehttp v0.6.6 // indirect | ||
26 | github.com/hashicorp/go-rootcerts v1.0.2 // indirect | ||
27 | github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect | ||
28 | github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect | ||
29 | github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect | ||
30 | github.com/hashicorp/go-sockaddr v1.0.2 // indirect | ||
31 | github.com/hashicorp/go-uuid v1.0.2 // indirect | ||
32 | github.com/hashicorp/go-version v1.2.0 // indirect | ||
33 | github.com/hashicorp/golang-lru v0.5.4 // indirect | ||
34 | github.com/hashicorp/hcl v1.0.0 // indirect | ||
35 | github.com/hashicorp/vault/sdk v0.6.0 // indirect | ||
36 | github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect | ||
37 | github.com/mattn/go-colorable v0.1.6 // indirect | ||
38 | github.com/mattn/go-isatty v0.0.12 // indirect | ||
39 | github.com/mitchellh/copystructure v1.0.0 // indirect | ||
40 | github.com/mitchellh/go-homedir v1.1.0 // indirect | ||
41 | github.com/mitchellh/go-testing-interface v1.0.0 // indirect | ||
42 | github.com/mitchellh/reflectwalk v1.0.0 // indirect | ||
43 | github.com/oklog/run v1.0.0 // indirect | ||
44 | github.com/pierrec/lz4 v2.5.2+incompatible // indirect | ||
45 | github.com/ryanuber/go-glob v1.0.0 // indirect | ||
46 | go.uber.org/atomic v1.9.0 // indirect | ||
47 | golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect | ||
48 | golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect | ||
49 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect | ||
50 | golang.org/x/text v0.3.3 // indirect | ||
51 | golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect | ||
52 | google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 // indirect | ||
53 | google.golang.org/grpc v1.41.0 // indirect | ||
54 | google.golang.org/protobuf v1.26.0 // indirect | ||
55 | gopkg.in/square/go-jose.v2 v2.5.1 // indirect | ||
56 | ) | ||
diff --git a/secrets/go.sum b/secrets/go.sum new file mode 100644 index 0000000..b27d5e2 --- /dev/null +++ b/secrets/go.sum | |||
@@ -0,0 +1,336 @@ | |||
1 | cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= | ||
2 | cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= | ||
3 | code.crute.us/mcrute/golib v0.4.0 h1:VWxb7v4gGkqL700zxDwgROweBsfx5RbiB35VW0O0oi0= | ||
4 | code.crute.us/mcrute/golib v0.4.0/go.mod h1:dukLPhs1H8dxtkhXtpJZYo/bMzefLRbdRj9Tj67wdaQ= | ||
5 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= | ||
6 | github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= | ||
7 | github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= | ||
8 | github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= | ||
9 | github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= | ||
10 | github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= | ||
11 | github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= | ||
12 | github.com/armon/go-metrics v0.3.9 h1:O2sNqxBdvq8Eq5xmzljcYzAORli6RWCvEym4cJf9m18= | ||
13 | github.com/armon/go-metrics v0.3.9/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= | ||
14 | github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= | ||
15 | github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= | ||
16 | github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= | ||
17 | github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= | ||
18 | github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= | ||
19 | github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= | ||
20 | github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= | ||
21 | github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3eG1c= | ||
22 | github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= | ||
23 | github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= | ||
24 | github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= | ||
25 | github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= | ||
26 | github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= | ||
27 | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= | ||
28 | github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= | ||
29 | github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= | ||
30 | github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= | ||
31 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= | ||
32 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||
33 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= | ||
34 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||
35 | github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= | ||
36 | github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= | ||
37 | github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= | ||
38 | github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= | ||
39 | github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= | ||
40 | github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= | ||
41 | github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= | ||
42 | github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys= | ||
43 | github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= | ||
44 | github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= | ||
45 | github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= | ||
46 | github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= | ||
47 | github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk= | ||
48 | github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= | ||
49 | github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= | ||
50 | github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= | ||
51 | github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= | ||
52 | github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= | ||
53 | github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q= | ||
54 | github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= | ||
55 | github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= | ||
56 | github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= | ||
57 | github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= | ||
58 | github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= | ||
59 | github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= | ||
60 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= | ||
61 | github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= | ||
62 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= | ||
63 | github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= | ||
64 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= | ||
65 | github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= | ||
66 | github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= | ||
67 | github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= | ||
68 | github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= | ||
69 | github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= | ||
70 | github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= | ||
71 | github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= | ||
72 | github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= | ||
73 | github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= | ||
74 | github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= | ||
75 | github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= | ||
76 | github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= | ||
77 | github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= | ||
78 | github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= | ||
79 | github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= | ||
80 | github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= | ||
81 | github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= | ||
82 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= | ||
83 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= | ||
84 | github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= | ||
85 | github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= | ||
86 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= | ||
87 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= | ||
88 | github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | ||
89 | github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= | ||
90 | github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= | ||
91 | github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= | ||
92 | github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= | ||
93 | github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= | ||
94 | github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= | ||
95 | github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= | ||
96 | github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= | ||
97 | github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= | ||
98 | github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= | ||
99 | github.com/hashicorp/go-hclog v0.16.2 h1:K4ev2ib4LdQETX5cSZBG0DVLk1jwGqSPXBjdah3veNs= | ||
100 | github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= | ||
101 | github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= | ||
102 | github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= | ||
103 | github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= | ||
104 | github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0/go.mod h1:xvb32K2keAc+R8DSFG2IwDcydK9DBQE+fGA5fsw6hSk= | ||
105 | github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= | ||
106 | github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= | ||
107 | github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= | ||
108 | github.com/hashicorp/go-plugin v1.4.3 h1:DXmvivbWD5qdiBts9TpBC7BYL1Aia5sxbRgQB+v6UZM= | ||
109 | github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= | ||
110 | github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= | ||
111 | github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= | ||
112 | github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= | ||
113 | github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= | ||
114 | github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= | ||
115 | github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= | ||
116 | github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 h1:cCRo8gK7oq6A2L6LICkUZ+/a5rLiRXFMf1Qd4xSwxTc= | ||
117 | github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= | ||
118 | github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= | ||
119 | github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= | ||
120 | github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= | ||
121 | github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= | ||
122 | github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= | ||
123 | github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= | ||
124 | github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= | ||
125 | github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs= | ||
126 | github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= | ||
127 | github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= | ||
128 | github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= | ||
129 | github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= | ||
130 | github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= | ||
131 | github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E= | ||
132 | github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= | ||
133 | github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= | ||
134 | github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= | ||
135 | github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= | ||
136 | github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= | ||
137 | github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= | ||
138 | github.com/hashicorp/vault/api v1.8.0 h1:7765sW1XBt+qf4XKIYE4ebY9qc/yi9V2/egzGSUNMZU= | ||
139 | github.com/hashicorp/vault/api v1.8.0/go.mod h1:uJrw6D3y9Rv7hhmS17JQC50jbPDAZdjZoTtrCCxxs7E= | ||
140 | github.com/hashicorp/vault/api/auth/approle v0.3.0 h1:Ib0oCNXsCq/QZhPYtXPzJEbGS5WR/KoZf8c84QoFdkU= | ||
141 | github.com/hashicorp/vault/api/auth/approle v0.3.0/go.mod h1:hm51TbjzUkPO0Y17wkrpwOpvyyMRpXJNueTHiG04t3k= | ||
142 | github.com/hashicorp/vault/sdk v0.6.0 h1:6Z+In5DXHiUfZvIZdMx7e2loL1PPyDjA4bVh9ZTIAhs= | ||
143 | github.com/hashicorp/vault/sdk v0.6.0/go.mod h1:+DRpzoXIdMvKc88R4qxr+edwy/RvH5QK8itmxLiDHLc= | ||
144 | github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M= | ||
145 | github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= | ||
146 | github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= | ||
147 | github.com/jhump/protoreflect v1.6.0 h1:h5jfMVslIg6l29nsMs0D8Wj17RDVdNYti0vDN/PZZoE= | ||
148 | github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= | ||
149 | github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= | ||
150 | github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= | ||
151 | github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= | ||
152 | github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= | ||
153 | github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= | ||
154 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= | ||
155 | github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= | ||
156 | github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= | ||
157 | github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= | ||
158 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= | ||
159 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= | ||
160 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= | ||
161 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= | ||
162 | github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= | ||
163 | github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= | ||
164 | github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE= | ||
165 | github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= | ||
166 | github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= | ||
167 | github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= | ||
168 | github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= | ||
169 | github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= | ||
170 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= | ||
171 | github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= | ||
172 | github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= | ||
173 | github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ= | ||
174 | github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= | ||
175 | github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= | ||
176 | github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= | ||
177 | github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= | ||
178 | github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= | ||
179 | github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= | ||
180 | github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= | ||
181 | github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= | ||
182 | github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= | ||
183 | github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= | ||
184 | github.com/mitchellh/reflectwalk v1.0.0 h1:9D+8oIskB4VJBN5SFlmc27fSlIBZaov1Wpk/IfikLNY= | ||
185 | github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= | ||
186 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= | ||
187 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= | ||
188 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= | ||
189 | github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= | ||
190 | github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= | ||
191 | github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= | ||
192 | github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= | ||
193 | github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY= | ||
194 | github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= | ||
195 | github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI= | ||
196 | github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= | ||
197 | github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | ||
198 | github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | ||
199 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | ||
200 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= | ||
201 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||
202 | github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= | ||
203 | github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= | ||
204 | github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= | ||
205 | github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= | ||
206 | github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= | ||
207 | github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= | ||
208 | github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= | ||
209 | github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= | ||
210 | github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= | ||
211 | github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= | ||
212 | github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= | ||
213 | github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= | ||
214 | github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= | ||
215 | github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= | ||
216 | github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= | ||
217 | github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= | ||
218 | github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= | ||
219 | github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= | ||
220 | github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= | ||
221 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= | ||
222 | github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A= | ||
223 | github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= | ||
224 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= | ||
225 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= | ||
226 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= | ||
227 | github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= | ||
228 | github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= | ||
229 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= | ||
230 | github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= | ||
231 | go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= | ||
232 | go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= | ||
233 | go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= | ||
234 | golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= | ||
235 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= | ||
236 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= | ||
237 | golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 h1:/UOmuWzQfxxo9UtlXMwuQU8CMgg1eZXqTRwkSQJWKOI= | ||
238 | golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= | ||
239 | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= | ||
240 | golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= | ||
241 | golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= | ||
242 | golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= | ||
243 | golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= | ||
244 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= | ||
245 | golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= | ||
246 | golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= | ||
247 | golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= | ||
248 | golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= | ||
249 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= | ||
250 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= | ||
251 | golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= | ||
252 | golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= | ||
253 | golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxWRVUAQwMI9fVrssnTfw= | ||
254 | golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= | ||
255 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= | ||
256 | golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= | ||
257 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
258 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
259 | golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
260 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
261 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
262 | golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
263 | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
264 | golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
265 | golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
266 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
267 | golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
268 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
269 | golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
270 | golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
271 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
272 | golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
273 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
274 | golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
275 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
276 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
277 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I= | ||
278 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
279 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= | ||
280 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | ||
281 | golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= | ||
282 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= | ||
283 | golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 h1:NusfzzA6yGQ+ua51ck7E3omNUX/JuqbFSaRGqU8CcLI= | ||
284 | golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= | ||
285 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= | ||
286 | golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= | ||
287 | golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= | ||
288 | golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= | ||
289 | golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= | ||
290 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= | ||
291 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= | ||
292 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= | ||
293 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= | ||
294 | google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= | ||
295 | google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= | ||
296 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= | ||
297 | google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= | ||
298 | google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= | ||
299 | google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY= | ||
300 | google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= | ||
301 | google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= | ||
302 | google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= | ||
303 | google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= | ||
304 | google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= | ||
305 | google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= | ||
306 | google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= | ||
307 | google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= | ||
308 | google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= | ||
309 | google.golang.org/grpc v1.41.0 h1:f+PlOh7QV4iIJkPrx5NQ7qaNGFQ3OTse67yaDHfju4E= | ||
310 | google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= | ||
311 | google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= | ||
312 | google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= | ||
313 | google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= | ||
314 | google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= | ||
315 | google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= | ||
316 | google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= | ||
317 | google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= | ||
318 | google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= | ||
319 | google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= | ||
320 | google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= | ||
321 | google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= | ||
322 | google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= | ||
323 | gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= | ||
324 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||
325 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||
326 | gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w= | ||
327 | gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= | ||
328 | gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= | ||
329 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= | ||
330 | gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= | ||
331 | gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= | ||
332 | gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= | ||
333 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= | ||
334 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= | ||
335 | honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= | ||
336 | honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= | ||
diff --git a/secrets/vault_client.go b/secrets/vault_client.go new file mode 100644 index 0000000..3466f48 --- /dev/null +++ b/secrets/vault_client.go | |||
@@ -0,0 +1,426 @@ | |||
1 | package secrets | ||
2 | |||
3 | import ( | ||
4 | "container/heap" | ||
5 | "context" | ||
6 | "encoding/json" | ||
7 | "errors" | ||
8 | "fmt" | ||
9 | "net/http" | ||
10 | "path" | ||
11 | "sync" | ||
12 | "time" | ||
13 | |||
14 | glos "code.crute.us/mcrute/golib/os" | ||
15 | |||
16 | "github.com/hashicorp/vault/api" | ||
17 | "github.com/hashicorp/vault/api/auth/approle" | ||
18 | "github.com/mitchellh/mapstructure" | ||
19 | ) | ||
20 | |||
21 | const ( | ||
22 | renewalStartPercent = 0.8 | ||
23 | notificationChanLen = 100 | ||
24 | defaultIncrement = 30 * 60 // 30 minutes (as seconds) | ||
25 | defaultTimeout = 10 * time.Second | ||
26 | renewalWindow = 30 * time.Second | ||
27 | ) | ||
28 | |||
29 | type vaultRenewalMinHeap []*VaultHandle | ||
30 | |||
31 | func (h vaultRenewalMinHeap) Len() int { return len(h) } | ||
32 | func (h vaultRenewalMinHeap) Less(i, j int) bool { return h[i].renewAfter() < h[j].renewAfter() } | ||
33 | func (h vaultRenewalMinHeap) Swap(i, j int) { h[i], h[j] = h[j], h[i] } | ||
34 | func (h *vaultRenewalMinHeap) Push(x any) { *h = append(*h, x.(*VaultHandle)) } | ||
35 | func (h vaultRenewalMinHeap) Root() *VaultHandle { return h[0] } | ||
36 | |||
37 | // Convenience methods to hide the collections/heap stuff from users | ||
38 | func (h *vaultRenewalMinHeap) PopHeap() *VaultHandle { return heap.Pop(h).(*VaultHandle) } | ||
39 | func (h *vaultRenewalMinHeap) PushHeap(i *VaultHandle) { heap.Push(h, i) } | ||
40 | func (h *vaultRenewalMinHeap) Init() { heap.Init(h) } | ||
41 | |||
42 | func (h *vaultRenewalMinHeap) Pop() any { | ||
43 | old := *h | ||
44 | n := len(old) | ||
45 | item := old[n-1] | ||
46 | old[n-1] = nil // avoid memory leak | ||
47 | *h = old[0 : n-1] | ||
48 | return item | ||
49 | } | ||
50 | |||
51 | func (h *vaultRenewalMinHeap) FindRemove(handle *VaultHandle) bool { | ||
52 | for i, hnd := range *h { | ||
53 | if hnd.name == handle.name { | ||
54 | heap.Remove(h, i) | ||
55 | return true | ||
56 | } | ||
57 | } | ||
58 | return false | ||
59 | } | ||
60 | |||
61 | type VaultHandle struct { | ||
62 | name string | ||
63 | critical bool | ||
64 | acquired time.Time | ||
65 | secret *api.Secret | ||
66 | } | ||
67 | |||
68 | var _ Handle = (*VaultHandle)(nil) | ||
69 | |||
70 | func (h *VaultHandle) isAuthToken() bool { | ||
71 | return h.secret.Auth != nil | ||
72 | } | ||
73 | |||
74 | func (h *VaultHandle) renewAfter() time.Duration { | ||
75 | after := float64(h.leaseDuration().Nanoseconds()) * renewalStartPercent | ||
76 | afterTime := h.acquired.Add(time.Duration(after)) | ||
77 | return afterTime.Sub(time.Now()).Round(time.Second) | ||
78 | } | ||
79 | |||
80 | func (h *VaultHandle) leaseDuration() time.Duration { | ||
81 | duration := time.Duration(h.secret.LeaseDuration) * time.Second | ||
82 | if h.isAuthToken() { | ||
83 | return time.Duration(h.secret.Auth.LeaseDuration) * time.Second | ||
84 | } | ||
85 | return duration | ||
86 | } | ||
87 | |||
88 | func (h *VaultHandle) renew(ctx context.Context, c VaultServiceClient, inc int) (err error) { | ||
89 | var s *api.Secret | ||
90 | |||
91 | vctx, cancel := context.WithTimeout(ctx, defaultTimeout) | ||
92 | defer cancel() | ||
93 | |||
94 | if h.isAuthToken() { | ||
95 | s, err = c.Auth().Token().RenewTokenAsSelfWithContext(vctx, h.secret.Auth.ClientToken, inc) | ||
96 | if err != nil { | ||
97 | return err | ||
98 | } | ||
99 | } else { | ||
100 | s, err = c.Sys().RenewWithContext(vctx, h.secret.LeaseID, inc) | ||
101 | if err != nil { | ||
102 | return err | ||
103 | } | ||
104 | } | ||
105 | |||
106 | h.secret = s | ||
107 | h.acquired = time.Now() | ||
108 | |||
109 | return nil | ||
110 | } | ||
111 | |||
112 | func (h *VaultHandle) Reference() string { | ||
113 | return h.name | ||
114 | } | ||
115 | |||
116 | type VaultServiceClient interface { | ||
117 | Auth() *api.Auth | ||
118 | Sys() *api.Sys | ||
119 | Token() string | ||
120 | } | ||
121 | |||
122 | type VaultClient struct { | ||
123 | sync.Mutex | ||
124 | |||
125 | client VaultServiceClient | ||
126 | logical *api.Logical | ||
127 | auth *approle.AppRoleAuth | ||
128 | secrets vaultRenewalMinHeap | ||
129 | renewIncrement int | ||
130 | notifications chan Renewal | ||
131 | } | ||
132 | |||
133 | var _ Client = (*VaultClient)(nil) | ||
134 | var _ ClientManager = (*VaultClient)(nil) | ||
135 | |||
136 | type VaultClientConfig struct { | ||
137 | Host string `env:"VAULT_ADDR"` | ||
138 | Token string `env:"VAULT_TOKEN"` | ||
139 | RoleId string `env:"VAULT_ROLE_ID"` | ||
140 | RoleSecret string `env:"VAULT_SECRET_ID"` | ||
141 | Increment int `env:"VAULT_INCREMENT"` | ||
142 | AppRoleAuth *approle.AppRoleAuth | ||
143 | } | ||
144 | |||
145 | func (c *VaultClientConfig) Validate() error { | ||
146 | if c.Host == "" { | ||
147 | return fmt.Errorf("VaultClientConfig: Vault host is not specified") | ||
148 | } | ||
149 | |||
150 | // The presence of a token is always assumed to be valid, client errors | ||
151 | // will occur otherwise. | ||
152 | if c.Token != "" { | ||
153 | return nil | ||
154 | } | ||
155 | |||
156 | // This constructor does a bunch of validation internally so just let | ||
157 | // it do its thing and return any errors from that directly to the | ||
158 | // user. | ||
159 | ar, err := approle.NewAppRoleAuth(c.RoleId, &approle.SecretID{FromString: c.RoleSecret}) | ||
160 | if err != nil { | ||
161 | return fmt.Errorf("VaultClientConfig: AppRole credentials invalid: %w", err) | ||
162 | } | ||
163 | c.AppRoleAuth = ar | ||
164 | |||
165 | return nil | ||
166 | } | ||
167 | |||
168 | // NewVaultClient will attempt to create a secrets.Client from the | ||
169 | // passed config. Config can be nil, in which case an attempt will | ||
170 | // be made to load the configuration from environment variables. See | ||
171 | // VaultClientConfig for the expected names of those variables. | ||
172 | func NewVaultClient(cfg *VaultClientConfig) (ClientManager, error) { | ||
173 | if cfg == nil { | ||
174 | cfg = &VaultClientConfig{} | ||
175 | } | ||
176 | |||
177 | if err := glos.UnmarshalEnvironment(cfg); err != nil { | ||
178 | return nil, err | ||
179 | } | ||
180 | |||
181 | if err := cfg.Validate(); err != nil { | ||
182 | return nil, err | ||
183 | } | ||
184 | |||
185 | vc, err := api.NewClient(api.DefaultConfig()) | ||
186 | if err != nil { | ||
187 | return nil, fmt.Errorf("NewVaultClient: error building client config: %w", err) | ||
188 | } | ||
189 | vc.SetAddress(cfg.Host) | ||
190 | |||
191 | if cfg.Token != "" { | ||
192 | vc.SetToken(cfg.Token) | ||
193 | } | ||
194 | |||
195 | c := &VaultClient{ | ||
196 | client: vc, | ||
197 | logical: vc.Logical(), | ||
198 | secrets: vaultRenewalMinHeap{}, | ||
199 | notifications: make(chan Renewal, notificationChanLen), | ||
200 | auth: cfg.AppRoleAuth, | ||
201 | renewIncrement: cfg.Increment, | ||
202 | } | ||
203 | |||
204 | c.secrets.Init() | ||
205 | |||
206 | if c.renewIncrement == 0 { | ||
207 | c.renewIncrement = defaultIncrement | ||
208 | } | ||
209 | |||
210 | return c, nil | ||
211 | } | ||
212 | |||
213 | func (c *VaultClient) Notifications() <-chan Renewal { | ||
214 | return c.notifications | ||
215 | } | ||
216 | |||
217 | func (c *VaultClient) Authenticate(ctx context.Context) error { | ||
218 | if c.auth == nil { | ||
219 | return c.authToken(ctx) | ||
220 | } else { | ||
221 | return c.authAppRole(ctx) | ||
222 | } | ||
223 | } | ||
224 | |||
225 | func (c *VaultClient) authToken(ctx context.Context) error { | ||
226 | if c.client.Token() == "" { | ||
227 | return fmt.Errorf("Authenticate: unable to authenticate, neither token nor approle provided") | ||
228 | } | ||
229 | |||
230 | vctx, cancel := context.WithTimeout(ctx, defaultTimeout) | ||
231 | defer cancel() | ||
232 | |||
233 | secret, err := c.client.Auth().Token().LookupSelfWithContext(vctx) | ||
234 | if err != nil { | ||
235 | return err | ||
236 | } | ||
237 | |||
238 | // Looking up self does not return an auth token just a map of data | ||
239 | // about the current token. Convert this into a SecretAuth so that | ||
240 | // downstream renewal code does the right thing. | ||
241 | secret.Auth = &api.SecretAuth{} | ||
242 | if err := mapstructure.Decode(secret.Data, secret.Auth); err != nil { | ||
243 | return err | ||
244 | } | ||
245 | secret.Auth.ClientToken = c.client.Token() | ||
246 | |||
247 | c.makeHandle("login", secret) | ||
248 | |||
249 | return nil | ||
250 | } | ||
251 | |||
252 | func (c *VaultClient) authAppRole(ctx context.Context) error { | ||
253 | vctx, cancel := context.WithTimeout(ctx, defaultTimeout) | ||
254 | defer cancel() | ||
255 | |||
256 | s, err := c.client.Auth().Login(vctx, c.auth) | ||
257 | if err != nil { | ||
258 | return fmt.Errorf("Authenticate: error logging in to vault: %w", err) | ||
259 | } | ||
260 | c.makeHandle("login", s) | ||
261 | return err | ||
262 | } | ||
263 | |||
264 | // makeHandle creates a secret handle and schedules it for renewal if it | ||
265 | // is renewable. | ||
266 | func (c *VaultClient) makeHandle(name string, s *api.Secret) Handle { | ||
267 | h := &VaultHandle{ | ||
268 | name: name, | ||
269 | critical: true, // Everything is critical unless marked otherwise | ||
270 | acquired: time.Now(), | ||
271 | secret: s, | ||
272 | } | ||
273 | |||
274 | // If this is renewable then schedule it for renewal | ||
275 | if (s.Auth != nil && s.Auth.Renewable) || s.Renewable { | ||
276 | c.Lock() | ||
277 | c.secrets.PushHeap(h) | ||
278 | c.Unlock() | ||
279 | } | ||
280 | |||
281 | return h | ||
282 | } | ||
283 | |||
284 | func (c *VaultClient) read(ctx context.Context, prefix, suffix string) (Handle, error) { | ||
285 | key := path.Join(prefix, suffix) | ||
286 | |||
287 | s, err := c.logical.ReadWithContext(ctx, key) | ||
288 | if err != nil { | ||
289 | return nil, fmt.Errorf("read: error reading from Vault: %w", err) | ||
290 | } | ||
291 | |||
292 | return c.makeHandle(key, s), nil | ||
293 | } | ||
294 | |||
295 | func (c *VaultClient) isRecoverableDbError(err error) bool { | ||
296 | var apiErr *api.ResponseError | ||
297 | return errors.Is(api.ErrSecretNotFound, err) || | ||
298 | (errors.As(err, &apiErr) && apiErr.StatusCode == http.StatusForbidden) | ||
299 | } | ||
300 | |||
301 | func (c *VaultClient) DatabaseCredential(ctx context.Context, suffix string) (*Credential, Handle, error) { | ||
302 | cred, hnd, err := c.databaseCredentialDynamic(ctx, suffix) | ||
303 | if err != nil { | ||
304 | if c.isRecoverableDbError(err) { | ||
305 | cred, hnd, err = c.databaseCredentialStatic(ctx, suffix) | ||
306 | } | ||
307 | } | ||
308 | return cred, hnd, err | ||
309 | } | ||
310 | |||
311 | func (c *VaultClient) databaseCredentialDynamic(ctx context.Context, suffix string) (*Credential, Handle, error) { | ||
312 | h, err := c.read(ctx, "database/creds", suffix) | ||
313 | if err != nil { | ||
314 | return nil, nil, err | ||
315 | } | ||
316 | vh := h.(*VaultHandle) | ||
317 | |||
318 | var d Credential | ||
319 | if err = mapstructure.Decode(vh.secret.Data, &d); err != nil { | ||
320 | return nil, nil, fmt.Errorf("databaseCredentialStatic: error decoding secret: %w", err) | ||
321 | } | ||
322 | |||
323 | return &d, h, nil | ||
324 | } | ||
325 | |||
326 | func (c *VaultClient) databaseCredentialStatic(ctx context.Context, suffix string) (*Credential, Handle, error) { | ||
327 | h, err := c.read(ctx, "database/static-creds", suffix) | ||
328 | if err != nil { | ||
329 | return nil, nil, err | ||
330 | } | ||
331 | |||
332 | var d Credential | ||
333 | if err = mapstructure.Decode(h.(*VaultHandle).secret.Data, &d); err != nil { | ||
334 | return nil, nil, fmt.Errorf("databaseCredentialStatic: error decoding secret: %w", err) | ||
335 | } | ||
336 | |||
337 | return &d, h, nil | ||
338 | } | ||
339 | |||
340 | func (c *VaultClient) Secret(ctx context.Context, suffix string, out any) (Handle, error) { | ||
341 | h, err := c.read(ctx, "kv/data", suffix) | ||
342 | if err != nil { | ||
343 | return nil, err | ||
344 | } | ||
345 | |||
346 | if err = mapstructure.Decode(h.(*VaultHandle).secret.Data["data"], out); err != nil { | ||
347 | return nil, err | ||
348 | } | ||
349 | |||
350 | return h, nil | ||
351 | } | ||
352 | |||
353 | func (c *VaultClient) WriteSecret(ctx context.Context, suffix string, in any) error { | ||
354 | inb, err := json.Marshal(in) | ||
355 | if err != nil { | ||
356 | return fmt.Errorf("WriteSecret: error encoding json: %w", err) | ||
357 | } | ||
358 | |||
359 | if _, err = c.logical.WriteBytesWithContext(ctx, path.Join("kv/data", suffix), inb); err != nil { | ||
360 | return fmt.Errorf("WriteSecret: error writing to vault: %w", err) | ||
361 | } | ||
362 | |||
363 | return nil | ||
364 | } | ||
365 | |||
366 | func (c *VaultClient) Destroy(h Handle) error { | ||
367 | c.Lock() | ||
368 | defer c.Unlock() | ||
369 | |||
370 | c.secrets.FindRemove(h.(*VaultHandle)) | ||
371 | |||
372 | return nil | ||
373 | } | ||
374 | |||
375 | func (c *VaultClient) MakeNonCritical(h Handle) error { | ||
376 | h.(*VaultHandle).critical = false | ||
377 | return nil | ||
378 | } | ||
379 | |||
380 | func (c *VaultClient) renewAttempt(ctx context.Context) (next time.Duration) { | ||
381 | c.Lock() | ||
382 | defer c.Unlock() | ||
383 | |||
384 | // In the absence of any other time, run once a second | ||
385 | next = 5 * time.Second | ||
386 | |||
387 | if c.secrets.Len() < 1 { | ||
388 | return | ||
389 | } | ||
390 | |||
391 | for { | ||
392 | s := c.secrets.PopHeap() | ||
393 | if s.renewAfter() < renewalWindow { | ||
394 | // Underlying client does backoff and retry | ||
395 | c.notifications <- Renewal{ | ||
396 | Name: s.name, | ||
397 | Critical: s.critical, | ||
398 | Time: time.Now(), | ||
399 | Error: s.renew(ctx, c.client, c.renewIncrement), | ||
400 | } | ||
401 | c.secrets.PushHeap(s) | ||
402 | } else { | ||
403 | c.secrets.PushHeap(s) | ||
404 | next = c.secrets.Root().renewAfter() | ||
405 | break | ||
406 | } | ||
407 | } | ||
408 | |||
409 | return next | ||
410 | } | ||
411 | |||
412 | func (c *VaultClient) Run(ctx context.Context, wg *sync.WaitGroup) error { | ||
413 | wg.Add(1) | ||
414 | defer wg.Done() | ||
415 | |||
416 | for { | ||
417 | sleepTime := c.renewAttempt(ctx) | ||
418 | |||
419 | select { | ||
420 | case <-time.After(sleepTime): | ||
421 | continue | ||
422 | case <-ctx.Done(): | ||
423 | return nil | ||
424 | } | ||
425 | } | ||
426 | } | ||