1package logical 2 3import ( 4 "fmt" 5 "time" 6 7 sockaddr "github.com/hashicorp/go-sockaddr" 8) 9 10// Auth is the resulting authentication information that is part of 11// Response for credential backends. 12type Auth struct { 13 LeaseOptions 14 15 // InternalData is JSON-encodable data that is stored with the auth struct. 16 // This will be sent back during a Renew/Revoke for storing internal data 17 // used for those operations. 18 InternalData map[string]interface{} `json:"internal_data" mapstructure:"internal_data" structs:"internal_data"` 19 20 // DisplayName is a non-security sensitive identifier that is 21 // applicable to this Auth. It is used for logging and prefixing 22 // of dynamic secrets. For example, DisplayName may be "armon" for 23 // the github credential backend. If the client token is used to 24 // generate a SQL credential, the user may be "github-armon-uuid". 25 // This is to help identify the source without using audit tables. 26 DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"` 27 28 // Policies is the list of policies that the authenticated user 29 // is associated with. 30 Policies []string `json:"policies" mapstructure:"policies" structs:"policies"` 31 32 // TokenPolicies and IdentityPolicies break down the list in Policies to 33 // help determine where a policy was sourced 34 TokenPolicies []string `json:"token_policies" mapstructure:"token_policies" structs:"token_policies"` 35 IdentityPolicies []string `json:"identity_policies" mapstructure:"identity_policies" structs:"identity_policies"` 36 37 // ExternalNamespacePolicies represent the policies authorized from 38 // different namespaces indexed by respective namespace identifiers 39 ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies" mapstructure:"external_namespace_policies" structs:"external_namespace_policies"` 40 41 // Indicates that the default policy should not be added by core when 42 // creating a token. The default policy will still be added if it's 43 // explicitly defined. 44 NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy" structs:"no_default_policy"` 45 46 // Metadata is used to attach arbitrary string-type metadata to 47 // an authenticated user. This metadata will be outputted into the 48 // audit log. 49 Metadata map[string]string `json:"metadata" mapstructure:"metadata" structs:"metadata"` 50 51 // ClientToken is the token that is generated for the authentication. 52 // This will be filled in by Vault core when an auth structure is 53 // returned. Setting this manually will have no effect. 54 ClientToken string `json:"client_token" mapstructure:"client_token" structs:"client_token"` 55 56 // Accessor is the identifier for the ClientToken. This can be used 57 // to perform management functionalities (especially revocation) when 58 // ClientToken in the audit logs are obfuscated. Accessor can be used 59 // to revoke a ClientToken and to lookup the capabilities of the ClientToken, 60 // both without actually knowing the ClientToken. 61 Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor"` 62 63 // Period indicates that the token generated using this Auth object 64 // should never expire. The token should be renewed within the duration 65 // specified by this period. 66 Period time.Duration `json:"period" mapstructure:"period" structs:"period"` 67 68 // ExplicitMaxTTL is the max TTL that constrains periodic tokens. For normal 69 // tokens, this value is constrained by the configured max ttl. 70 ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"` 71 72 // Number of allowed uses of the issued token 73 NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"` 74 75 // EntityID is the identifier of the entity in identity store to which the 76 // identity of the authenticating client belongs to. 77 EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"` 78 79 // Alias is the information about the authenticated client returned by 80 // the auth backend 81 Alias *Alias `json:"alias" mapstructure:"alias" structs:"alias"` 82 83 // GroupAliases are the informational mappings of external groups which an 84 // authenticated user belongs to. This is used to check if there are 85 // mappings groups for the group aliases in identity store. For all the 86 // matching groups, the entity ID of the user will be added. 87 GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"` 88 89 // The set of CIDRs that this token can be used with 90 BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"` 91 92 // CreationPath is a path that the backend can return to use in the lease. 93 // This is currently only supported for the token store where roles may 94 // change the perceived path of the lease, even though they don't change 95 // the request path itself. 96 CreationPath string `json:"creation_path"` 97 98 // TokenType is the type of token being requested 99 TokenType TokenType `json:"token_type"` 100 101 // Orphan is set if the token does not have a parent 102 Orphan bool `json:"orphan"` 103} 104 105func (a *Auth) GoString() string { 106 return fmt.Sprintf("*%#v", *a) 107} 108