README
¶
Vault Plugin for Gitlab Access Token
This is a standalone backend plugin for use with Hashicorp Vault. This plugin allows for Gitlab to generate personal, project and group access tokens.
Quick Links
- Vault Website: [https://www.vaultproject.io]
- Gitlab Private Access Tokens: [https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html]
- Gitlab Group Access Tokens: [https://docs.gitlab.com/ee/api/group_access_tokens.html]
Getting Started
This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works.
Otherwise, first read this guide on how to get started with Vault.
To learn specifically about how plugins work, see documentation on Vault plugins.
Setup
Before we can use this plugin we need to create an access token that will have rights to do what we need to.
Security Model
The current authentication model requires providing Vault with a Gitlab Token.
TODO
- Implement autorotation of the main token
- Add tests against real Gitlab instance
Documentation
¶
Index ¶
Constants ¶
View Source
const ( DefaultConfigFieldAccessTokenMaxTTL = time.Duration(0) DefaultRoleFieldAccessTokenMaxTTL = 24 * time.Hour DefaultAccessTokenMinTTL = 24 * time.Hour DefaultAccessTokenMaxPossibleTTL = 365 * 24 * time.Hour )
View Source
const ( AccessLevelNoPermissions = AccessLevel("no_permissions") AccessLevelMinimalAccessPermissions = AccessLevel("minimal_access") AccessLevelGuestPermissions = AccessLevel("guest") AccessLevelReporterPermissions = AccessLevel("reporter") AccessLevelDeveloperPermissions = AccessLevel("developer") AccessLevelMaintainerPermissions = AccessLevel("maintainer") AccessLevelOwnerPermissions = AccessLevel("owner") AccessLevelUnknown = AccessLevel("") )
View Source
const ( // TokenScopeApi grants complete read and write access to the scoped group and related project API, including the Package Registry TokenScopeApi = TokenScope("api") // TokenScopeReadApi grants read access to the scoped group and related project API, including the Package Registry TokenScopeReadApi = TokenScope("read_api") // TokenScopeReadRegistry grants read access (pull) to the Container Registry images if any project within expected group is private and authorization is required. TokenScopeReadRegistry = TokenScope("read_registry") // TokenScopeWriteRegistry grants write access (push) to the Container Registry. TokenScopeWriteRegistry = TokenScope("write_registry") // TokenScopeReadRepository grants read access (pull) to the Container Registry images if any project within expected group is private and authorization is required TokenScopeReadRepository = TokenScope("read_repository") // TokenScopeWriteRepository grants read and write access (pull and push) to all repositories within expected group TokenScopeWriteRepository = TokenScope("write_repository") // TokenScopeCreateRunner grants permission to create runners in expected group TokenScopeCreateRunner = TokenScope("create_runner") // TokenScopeReadUser grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users. TokenScopeReadUser = TokenScope("read_user") // TokenScopeSudo grants permission to perform API actions as any user in the system, when authenticated as an administrator. TokenScopeSudo = TokenScope("sudo") // TokenScopeAdminMode grants permission to perform API actions as an administrator, when Admin Mode is enabled. TokenScopeAdminMode = TokenScope("admin_mode") TokenScopeUnknown = TokenScope("") )
View Source
const ( TokenTypePersonal = TokenType("personal") TokenTypeProject = TokenType("project") TokenTypeGroup = TokenType("group") TokenTypeUnknown = TokenType("") )
View Source
const (
PathConfigStorage = "config"
)
View Source
const (
PathRoleStorage = "roles"
)
View Source
const (
PathTokenRoleStorage = "token"
)
Variables ¶
View Source
var ( ErrNilValue = errors.New("nil value") ErrInvalidValue = errors.New("invalid value") ErrFieldRequired = errors.New("required field") ErrFieldInvalidValue = errors.New("invalid value for field") ErrBackendNotConfigured = errors.New("backend not configured") )
View Source
var ( ErrAccessTokenNotFound = errors.New("access token not found") ErrRoleNotFound = errors.New("role not found") )
View Source
var ( ErrUnknownAccessLevel = errors.New("unknown access level") ValidAccessLevels = []string{ AccessLevelNoPermissions.String(), AccessLevelMinimalAccessPermissions.String(), AccessLevelGuestPermissions.String(), AccessLevelReporterPermissions.String(), AccessLevelDeveloperPermissions.String(), AccessLevelMaintainerPermissions.String(), AccessLevelOwnerPermissions.String(), } ValidPersonalAccessLevels = []string{ AccessLevelUnknown.String(), } ValidProjectAccessLevels = []string{ AccessLevelGuestPermissions.String(), AccessLevelReporterPermissions.String(), AccessLevelDeveloperPermissions.String(), AccessLevelMaintainerPermissions.String(), AccessLevelOwnerPermissions.String(), } ValidGroupAccessLevels = []string{ AccessLevelGuestPermissions.String(), AccessLevelReporterPermissions.String(), AccessLevelDeveloperPermissions.String(), AccessLevelMaintainerPermissions.String(), AccessLevelOwnerPermissions.String(), } )
View Source
var ( ErrUnknownTokenScope = errors.New("unknown token scope") ValidGroupTokenScopes = validTokenScopes ValidProjectTokenScopes = validTokenScopes ValidPersonalTokenScopes = []string{ TokenScopeReadUser.String(), TokenScopeSudo.String(), TokenScopeAdminMode.String(), } )
View Source
var (
ErrUnknownTokenType = errors.New("unknown token type")
)
Functions ¶
Types ¶
type AccessLevel ¶
type AccessLevel string
func AccessLevelParse ¶
func AccessLevelParse(value string) (AccessLevel, error)
func (AccessLevel) String ¶
func (i AccessLevel) String() string
func (AccessLevel) Value ¶
func (i AccessLevel) Value() int
type Backend ¶
func (*Backend) Invalidate ¶
Invalidate invalidates the key if required
type Client ¶
type Client interface {
Valid() bool
CreatePersonalAccessToken(username string, userId int, name string, expiresAt time.Time, scopes []string) (*EntryToken, error)
CreateGroupAccessToken(groupId string, name string, expiresAt time.Time, scopes []string, accessLevel AccessLevel) (*EntryToken, error)
CreateProjectAccessToken(projectId string, name string, expiresAt time.Time, scopes []string, accessLevel AccessLevel) (*EntryToken, error)
RevokePersonalAccessToken(tokenId int) error
RevokeProjectAccessToken(tokenId int, projectId string) error
RevokeGroupAccessToken(tokenId int, groupId string) error
GetUserIdByUsername(username string) (int, error)
}
func NewGitlabClient ¶
type EntryToken ¶
type EntryToken struct {
TokenID int `json:"token_id"`
UserID int `json:"user_id"`
ParentID string `json:"parent_id"`
Path string `json:"path"`
Name string `json:"name"`
Token string `json:"token"`
TokenType TokenType `json:"token_type"`
CreatedAt *time.Time `json:"created_at"`
ExpiresAt *time.Time `json:"expires_at"`
Scopes []string `json:"scopes"`
AccessLevel AccessLevel `json:"access_level"` // not used for personal access tokens
}
func (EntryToken) SecretResponse ¶
func (e EntryToken) SecretResponse() (map[string]interface{}, map[string]interface{})
type TokenScope ¶
type TokenScope string
func TokenScopeParse ¶
func TokenScopeParse(value string) (TokenScope, error)
func (TokenScope) String ¶
func (i TokenScope) String() string
func (TokenScope) Value ¶
func (i TokenScope) Value() string
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.