open-vault/logical/auth.go

package logical

import (
	"fmt"
	"time"
)

// Auth is the resulting authentication information that is part of
// Response for credential backends.
type Auth struct {
	LeaseOptions

	// InternalData is JSON-encodable data that is stored with the auth struct.
	// This will be sent back during a Renew/Revoke for storing internal data
	// used for those operations.
	InternalData map[string]interface{} `json:"internal_data" mapstructure:"internal_data" structs:"internal_data"`

	// DisplayName is a non-security sensitive identifier that is
	// applicable to this Auth. It is used for logging and prefixing
	// of dynamic secrets. For example, DisplayName may be "armon" for
	// the github credential backend. If the client token is used to
	// generate a SQL credential, the user may be "github-armon-uuid".
	// This is to help identify the source without using audit tables.
	DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"`

	// Policies is the list of policies that the authenticated user
	// is associated with.
	Policies []string `json:"policies" mapstructure:"policies" structs:"policies"`

	// Metadata is used to attach arbitrary string-type metadata to
	// an authenticated user. This metadata will be outputted into the
	// audit log.
	Metadata map[string]string `json:"metadata" mapstructure:"metadata" structs:"metadata"`

	// ClientToken is the token that is generated for the authentication.
	// This will be filled in by Vault core when an auth structure is
	// returned. Setting this manually will have no effect.
	ClientToken string `json:"client_token" mapstructure:"client_token" structs:"client_token"`

	// Accessor is the identifier for the ClientToken. This can be used
	// to perform management functionalities (especially revocation) when
	// ClientToken in the audit logs are obfuscated. Accessor can be used
	// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
	// both without actually knowing the ClientToken.
	Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor"`

	// Period indicates that the token generated using this Auth object
	// should never expire. The token should be renewed within the duration
	// specified by this period.
	Period time.Duration `json:"period" mapstructure:"period" structs:"period"`

	// Number of allowed uses of the issued token
	NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`

	// EntityID is the identifier of the entity in identity store to which the
	// identity of the authenticating client belongs to.
	EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"`

	// Alias is the information about the authenticated client returned by
	// the auth backend
	Alias *Alias `json:"alias" mapstructure:"alias" structs:"alias"`

	// GroupAliases are the informational mappings of external groups which an
	// authenticated user belongs to. This is used to check if there are
	// mappings groups for the group aliases in identity store. For all the
	// matching groups, the entity ID of the user will be added.
	GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"`
}

func (a *Auth) GoString() string {
	return fmt.Sprintf("*%#v", *a)
}
logical: add credential info to logical backend structures 2015-03-30 21:23:32 +00:00			`package logical`

AppRole authentication backend 2016-05-30 18:30:01 +00:00			`import (`
			`"fmt"`
			`"time"`
			`)`
logical: GoStringer for Auth 2015-04-01 22:08:43 +00:00
logical: add credential info to logical backend structures 2015-03-30 21:23:32 +00:00			`// Auth is the resulting authentication information that is part of`
			`// Response for credential backends.`
			`type Auth struct {`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`LeaseOptions`
vault: get rid of HangleLogin 2015-03-31 03:26:39 +00:00
vault: Adding InternalData to Auth 2015-05-09 18:39:54 +00:00			`// InternalData is JSON-encodable data that is stored with the auth struct.`
			`// This will be sent back during a Renew/Revoke for storing internal data`
			`// used for those operations.`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			InternalData map[string]interface{} `json:"internal_data" mapstructure:"internal_data" structs:"internal_data"`
vault: Adding InternalData to Auth 2015-05-09 18:39:54 +00:00
logical: Adding a DisplayName for operators 2015-04-15 20:56:42 +00:00			`// DisplayName is a non-security sensitive identifier that is`
			`// applicable to this Auth. It is used for logging and prefixing`
			`// of dynamic secrets. For example, DisplayName may be "armon" for`
			`// the github credential backend. If the client token is used to`
			`// generate a SQL credential, the user may be "github-armon-uuid".`
			`// This is to help identify the source without using audit tables.`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"`
logical: Adding a DisplayName for operators 2015-04-15 20:56:42 +00:00
logical: add credential info to logical backend structures 2015-03-30 21:23:32 +00:00			`// Policies is the list of policies that the authenticated user`
			`// is associated with.`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			Policies []string `json:"policies" mapstructure:"policies" structs:"policies"`
logical: add credential info to logical backend structures 2015-03-30 21:23:32 +00:00
			`// Metadata is used to attach arbitrary string-type metadata to`
			`// an authenticated user. This metadata will be outputted into the`
			`// audit log.`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			Metadata map[string]string `json:"metadata" mapstructure:"metadata" structs:"metadata"`
logical: adding lease to auth 2015-04-03 00:25:22 +00:00
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`// ClientToken is the token that is generated for the authentication.`
			`// This will be filled in by Vault core when an auth structure is`
			`// returned. Setting this manually will have no effect.`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			ClientToken string `json:"client_token" mapstructure:"client_token" structs:"client_token"`
Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 17:51:38 +00:00
AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 11:23:31 +00:00			`// Accessor is the identifier for the ClientToken. This can be used`
Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 17:51:38 +00:00			`// to perform management functionalities (especially revocation) when`
AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 11:23:31 +00:00			`// ClientToken in the audit logs are obfuscated. Accessor can be used`
Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 17:51:38 +00:00			`// to revoke a ClientToken and to lookup the capabilities of the ClientToken,`
Error text corrections and minor refactoring 2016-03-09 03:27:24 +00:00			`// both without actually knowing the ClientToken.`
AppRole authentication backend 2016-05-30 18:30:01 +00:00			Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor"`

			`// Period indicates that the token generated using this Auth object`
			`// should never expire. The token should be renewed within the duration`
			`// specified by this period.`
			Period time.Duration `json:"period" mapstructure:"period" structs:"period"`
AppRole: Support restricted use tokens (#2435) * approle: added token_num_uses to the role * approle: added RUD tests for token_num_uses on role * approle: doc: added token_num_uses 2017-03-03 14:31:20 +00:00
			`// Number of allowed uses of the issued token`
			NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`
Added persona to logical auth 2017-08-15 17:55:53 +00:00
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor 2017-10-11 17:21:20 +00:00			`// EntityID is the identifier of the entity in identity store to which the`
			`// identity of the authenticating client belongs to.`
			EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"`

Rename persona to alias (#3420) Merging this will break the build. I'll fix it post merge by updating the vendor libs. 2017-10-04 17:35:05 +00:00			`// Alias is the information about the authenticated client returned by`
Added persona to logical auth 2017-08-15 17:55:53 +00:00			`// the auth backend`
External identity groups (#3447) * external identity groups * add local LDAP groups as well to group aliases * add group aliases for okta credential backend * Fix panic in tests * fix build failure * remove duplicated struct tag * add test steps to test out removal of group member during renewals * Add comment for having a prefix check in router * fix tests * s/parent_id/canonical_id * s/parent/canonical in comments and errors 2017-11-02 20:05:48 +00:00			Alias *Alias `json:"alias" mapstructure:"alias" structs:"alias"`

			`// GroupAliases are the informational mappings of external groups which an`
			`// authenticated user belongs to. This is used to check if there are`
			`// mappings groups for the group aliases in identity store. For all the`
			`// matching groups, the entity ID of the user will be added.`
			GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"`
logical: add credential info to logical backend structures 2015-03-30 21:23:32 +00:00			`}`
logical: GoStringer for Auth 2015-04-01 22:08:43 +00:00
			`func (a *Auth) GoString() string {`
			`return fmt.Sprintf("%#v", a)`
			`}`