Documentation
¶
Overview ¶
COPYRIGHT 2025 FERMI NATIONAL ACCELERATOR LABORATORY
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Package vaultToken provides functions for obtaining and validating Hashicorp vault tokens using the configured HTCondor installation
Index ¶
- Constants
- func GetAllVaultTokenLocations(serviceName string) ([]string, error)
- func GetCondorVaultTokenLocation(serviceName string) string
- func IsServiceToken(token string) bool
- func RemoveServiceVaultTokens(serviceName string) error
- type ErrAuthNeeded
- type HtgettokenClient
- type InvalidVaultTokenError
- type VaultStorerClient
Constants ¶
const ( ServiceTokenPrefix = "hvs." LegacyServiceTokenPrefix = "s." )
Variables ¶
This section is empty.
Functions ¶
func GetAllVaultTokenLocations ¶
GetAllVaultTokenLocations returns the locations of the vault tokens that both HTCondor and other OSG grid tools will use. The first element of the returned slice is the standard location for most grid tools, and the second is the standard for HTCondor
func GetCondorVaultTokenLocation ¶ added in v0.18.0
GetCondorVaultTokenLocation returns the location of vault token that HTCondor uses based on the current user's UID If for some reason the current user cannot be determined, we will fall back to using os.GetUid(), but that doesn't cache the user info, which is why user.Current() is preferred.
func IsServiceToken ¶
IsServiceToken validates that a token string follows the Hashicorp service token convention
func RemoveServiceVaultTokens ¶
RemoveServiceVaultTokens removes the vault token files at the standard OSG Grid Tools and HTCondor locations
Types ¶
type ErrAuthNeeded ¶
type ErrAuthNeeded struct {
// contains filtered or unexported fields
}
ErrAuthNeeded represents an error indicating that authentication is required. It wraps an underlying error that provides more context about the authentication failure.
func (*ErrAuthNeeded) Error ¶
func (e *ErrAuthNeeded) Error() string
func (*ErrAuthNeeded) Unwrap ¶
func (e *ErrAuthNeeded) Unwrap() error
type HtgettokenClient ¶ added in v0.18.0
type HtgettokenClient struct {
CommandEnvironment *environment.CommandEnvironment
// contains filtered or unexported fields
}
HtgettokenClient is a client for interacting with the htgettoken command-line tool.
func NewHtgettokenClient ¶ added in v0.18.0
func NewHtgettokenClient(vaultServer, vaultTokenFile, outFile string, env *environment.CommandEnvironment, options ...string) (*HtgettokenClient, error)
NewHtgettokenClient creates a new htgettokenClient instance. outFile and options are optional - if not provided, they will be set to default values. The HTGETTOKENOPTS environment variable should be set in the CommandEnvironment if needed, like this:
c := environment.CommandEnvironment{}
c.SetHtgettokenOpts("value")
func (*HtgettokenClient) GetToken ¶ added in v0.18.0
func (h *HtgettokenClient) GetToken(ctx context.Context, issuer, role string, interactive bool) ([]byte, error)
GetToken retrieves a bearer token from the Vault server using the htgettoken command. The issuer, like in the htgettoken command, refers not to the token's "iss" claim, but to the Vault/OpenBao-configured "issuer" key of the token issuer
func (*HtgettokenClient) WithVerbose ¶ added in v0.18.0
func (h *HtgettokenClient) WithVerbose() *HtgettokenClient
WithVerbose enables verbose mode for the htgettoken command.
type InvalidVaultTokenError ¶
type InvalidVaultTokenError struct {
// contains filtered or unexported fields
}
InvalidVaultTokenError is an error that indicates that the token contained in filename is not a valid Hashicorp Service Token (what is called a vault token in the managed-tokens/OSG/WLCG world)
func (*InvalidVaultTokenError) Error ¶
func (i *InvalidVaultTokenError) Error() string
type VaultStorerClient ¶ added in v0.18.0
type VaultStorerClient struct {
CommandEnvironment *environment.CommandEnvironment
// contains filtered or unexported fields
}
VaultStorerClient is a client for storing tokens in a Vault server and Condor credd
func NewVaultStorerClient ¶ added in v0.18.0
func NewVaultStorerClient(credd, vaultServer string, environ *environment.CommandEnvironment) *VaultStorerClient
NewVaultStorerClient creates and returns a new VaultStorerClient instance configured with the specified credd host, vault server address, and command environment. If the provided environment's _condor_CREDD_HOST differs from the given credd value, a copy of the environment is made with the credd value set appropriately.
func (*VaultStorerClient) GetAndStoreToken ¶ added in v0.18.0
func (v *VaultStorerClient) GetAndStoreToken(ctx context.Context, serviceName string, interactive bool) error
GetAndStoreToken gets and stores a vault token for the given serviceName in the configured vault server and credd. If interactive is true, the command may prompt the user for action if needed.
func (*VaultStorerClient) GetCredd ¶ added in v0.18.0
func (v *VaultStorerClient) GetCredd() string
GetCredd returns the value of the credd field from the VaultStorerClient.
func (*VaultStorerClient) GetVaultServer ¶ added in v0.18.0
func (v *VaultStorerClient) GetVaultServer() string
GetVaultServer returns the address of the Vault server associated with the VaultStorerClient.
func (*VaultStorerClient) WithVerbose ¶ added in v0.18.0
func (v *VaultStorerClient) WithVerbose() *VaultStorerClient
WithVerbose enables verbose logging for the VaultStorerClient.
Source Files