Struct diem_vault_client::Client

pub struct Client { /* private fields */ }

Client provides a client around the restful interface to a Vault servce. Learn more here: https://www.vaultproject.io/api-docs/

A brief overview of Vault:

• Vault stores data in various paths, in the case of a WebAPI, different URLs. So, for example, both a secret and a policy are hosted at distinct paths. Policies are then used to define which actors can access those paths and with what actions.
• Vault uses a KV store separated into various containers or secrets. In the concept of a file system, a secret might represent a folder, where keys would be files, and the contents the values. Policies are only applied at the folder level.
• Data is accessed in Vault via tokens. Policies can only be granted during creation of a token, but policies can be amended afterward. So you cannot add new policies to a token, but you can increase the tokens abilities by modifying the underlying policies.

Implementations

impl Client

pub fn new( host: String, token: String, ca_certificate: Option<String>, connection_timeout_ms: Option<u64>, response_timeout_ms: Option<u64> ) -> Self

pub fn delete_policy(&self, policy_name: &str) -> Result<(), Error>

pub fn list_policies(&self) -> Result<Vec<String>, Error>

pub fn read_policy(&self, policy_name: &str) -> Result<Policy, Error>

Retrieves the policy at the given policy name.

pub fn set_policy(&self, policy_name: &str, policy: &Policy) -> Result<(), Error>

Create a new policy in Vault, see the explanation for Policy for how the data is structured. Vault does not distingush a create and update. An update must first read the existing policy, amend the contents, and then be applied via this API.

pub fn create_token(&self, policies: Vec<&str>) -> Result<String, Error>

Creates a new token or identity for accessing Vault. The token will have access to anything under the default policy and any prescribed policies.

pub fn renew_token_self(&self, increment: Option<u32>) -> Result<u32, Error>

pub fn revoke_token_self(&self) -> Result<(), Error>

pub fn list_secrets(&self, secret: &str) -> Result<Vec<String>, Error>

List all stored secrets

pub fn delete_secret(&self, secret: &str) -> Result<(), Error>

Delete a specific secret store

pub fn read_secret( &self, secret: &str, key: &str ) -> Result<ReadResponse<Value>, Error>

Read a key/value pair from a given secret store.

pub fn create_ed25519_key( &self, name: &str, exportable: bool ) -> Result<(), Error>

pub fn delete_key(&self, name: &str) -> Result<(), Error>

pub fn export_ed25519_key( &self, name: &str, version: Option<u32> ) -> Result<Ed25519PrivateKey, Error>

pub fn import_ed25519_key( &self, name: &str, key: &Ed25519PrivateKey ) -> Result<(), Error>

pub fn list_keys(&self) -> Result<Vec<String>, Error>

pub fn read_ed25519_key( &self, name: &str ) -> Result<Vec<ReadResponse<Ed25519PublicKey>>, Error>

pub fn rotate_key(&self, name: &str) -> Result<(), Error>

pub fn trim_key_versions(&self, name: &str) -> Result<Ed25519PublicKey, Error>

Trims the number of key versions held in vault storage. This prevents stale keys from sitting around for too long and becoming susceptible to key gathering attacks.

Once the key versions have been trimmed, this method returns the most recent (i.e., highest versioned) public key for the given cryptographic key name.

pub fn sign_ed25519( &self, name: &str, data: &[u8], version: Option<u32> ) -> Result<Ed25519Signature, Error>

pub fn write_secret( &self, secret: &str, key: &str, value: &Value, version: Option<u32> ) -> Result<u32, Error>

Create or update a key/value pair in a given secret store.

pub fn unsealed(&self) -> Result<bool, Error>

Returns whether or not the vault is unsealed (can be read from / written to). This can be queried without authentication.