public static async Task <LeaderStatus> GetLeaderAsync(this VaultClient client,
SystemBackendOptions options = null)
{
return(await((IProtocolSource)client).Protocol
.SendGetAsync <LeaderStatus>("sys/leader",
options: options));
}
/// <summary>
/// Mounts a new secret backend at the given path.
/// </summary>
/// <param name="client"></param>
/// <param name="path">Specifies the path where the secret backend will be mounted.</param>
/// <param name="type">Specifies the type of the backend, such as <c>aws</c>.</param>
/// <param name="description">Specifies the human-friendly description of the mount.</param>
/// <param name="config">Specifies configuration options for this mount.</param>
/// <param name="local">Specifies if the secret backend is a local mount only.
/// Local mounts are not replicated nor (if a secondary) removed by replication.</param>
/// <param name="options"></param>
/// <remarks>
/// <para>
/// This <c>config</c> an object with these possible values:
/// <list>
/// <item>default_lease_ttl</item>
/// <item>max_lease_ttl</item>
/// <item>force_no_cache</item>
/// <item>plugin_name</item>
/// </list>
/// These control the default and maximum lease time-to-live, and force disabling
/// backend caching respectively. If set on a specific mount, this overrides the
/// global defaults.
/// </para><para>
/// <b><i>The <c>local</c> option is allowed in Vault open-source, but relevant functionality
/// is only supported in Vault Enterprise.</i></b>
/// </para>
public static async Task MountBackendAsync(
this VaultClient client,
string path,
string type,
string description = null,
Dictionary <string, object> config = null,
bool?local = null,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(path))
{
throw new ArgumentNullException(nameof(path));
}
if (string.IsNullOrEmpty(type))
{
throw new ArgumentNullException(nameof(type));
}
path = path.Trim('/');
await((IProtocolSource)client).Protocol.SendPostAsync <NoContentResponse>(
$"sys/mounts/{path}",
new MountBackendRequest
{
Type = type,
Description = description,
Config = config,
Local = local,
},
options: options);
}
public static async Task <KeyStatus> GetKeyStatusAsync(this VaultClient client,
SystemBackendOptions options = null)
{
return(await((IProtocolSource)client).Protocol
.SendGetAsync <KeyStatus>("sys/key-status",
options: options));
}
public static async Task <ReadResponse <Dictionary <string, object> > > UnwrapData(
this VaultClient client,
string token = null,
SystemBackendOptions options = null)
{
return(await UnwrapData <Dictionary <string, object> >(client, token, options));
}
public static async Task DoSealAsync(this VaultClient client,
SystemBackendOptions options = null)
{
await((IProtocolSource)client).Protocol
.SendPutAsync <NoContentResponse>("sys/seal",
options: options);
}
/// <summary>
/// Registers a new plugin, or updates an existing one with the supplied name.
/// </summary>
/// <param name="client"></param>
/// <param name="name">Specifies the name for this plugin. The name is what is used to
/// look up plugins in the catalog.</param>
/// <param name="sha256">This is the SHA256 sum of the plugin's binary. Before a plugin
/// is run it's SHA will be checked against this value, if they do not match the
/// plugin can not be run.</param>
/// <param name="command">Specifies the command used to execute the plugin. This is
/// relative to the plugin directory. Example: <c>>myplugin --my_flag=1<c>></param>
/// <param name="args"></param>
/// <param name="options"></param>
/// <remarks>
/// <para>
/// <b><i>sudo required – This operation requires sudo capability in addition to any
/// path-specific capabilities.</i></b>
/// </para>
/// </remarks>
public static async Task RegisterPluginAsync(
this VaultClient client,
string name,
string sha256,
string command,
string[] args = null,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentNullException(nameof(name));
}
if (string.IsNullOrEmpty(sha256))
{
throw new ArgumentNullException(nameof(sha256));
}
if (string.IsNullOrEmpty(command))
{
throw new ArgumentNullException(nameof(command));
}
name = name.TrimStart('/');
await client.WriteAsync($"sys/plugins/catalog/{name}",
new RegisterPluginRequest
{
Sha256 = sha256,
Command = command,
Args = args,
},
options : options);
}
public static async Task <InitializationStatus> GetInitializationStatusAsync(
this VaultClient client,
SystemBackendOptions options = null)
{
return(await((IProtocolSource)client).Protocol
.SendGetAsync <InitializationStatus>("sys/init",
options: options));
}
/// <summary>
/// Lists all the mounted secret backends.
/// </summary>
public static async Task <ReadResponse <Dictionary <string, MountInfo> > > ListMountedBackendsAsync(
this VaultClient client,
SystemBackendOptions options = null)
{
return(await client.ReadAsync <ReadResponse <Dictionary <string, MountInfo> > >(
"sys/mounts",
options : options));
}
/// <summary>
/// Lists the plugins in the catalog.
/// </summary>
public static async Task <ReadResponse <KeysData> > ListPluginsAsync(
this VaultClient client,
SystemBackendOptions options = null)
{
return(await client.ListAsync <ReadResponse <KeysData> >("sys/plugins/catalog",
on404 : resp => null,
options : options));
}
public static async Task <ReadResponse <Dictionary <string, AuthBackendInfo> > > ListAuthBackendsAsync(
this VaultClient client,
SystemBackendOptions options = null)
{
return(await((IProtocolSource)client).Protocol
.SendGetAsync <ReadResponse <Dictionary <string, AuthBackendInfo> > >($"sys/auth",
options: options));
}
public static async Task <SealStatus> DoUnsealAsync(this VaultClient client,
UnsealRequest requ,
SystemBackendOptions options = null)
{
return(await((IProtocolSource)client).Protocol
.SendPutAsync <SealStatus>("sys/unseal",
requ,
options: options));
}
public static async Task <InitializationResponse> DoInitializeAsync(this VaultClient client,
InitializationRequest requ,
SystemBackendOptions options = null)
{
return(await((IProtocolSource)client).Protocol
.SendPutAsync <InitializationResponse>("sys/init",
requ,
options: options));
}
public static async Task <HealthStatus> GetHealthAsync(this VaultClient client,
SystemBackendOptions options = null)
{
// We want to make sure that all the valid modes or states
// return a 200 response so we can capture it successfully
return(await((IProtocolSource)client).Protocol
.SendGetAsync <HealthStatus>("sys/health"
+ "?standbyok=false"
+ "&activecode=200"
+ "&standbycode=200"
+ "&sealedcode=200"
+ "&uninitcode=200",
options: options));
}
/// <summary>
/// Reloads mounted plugin backends.
/// </summary>
/// <param name="client"></param>
/// <param name="mounts">Mount paths of the plugin backends to reload.</param>
/// <param name="options"></param>
/// <returns></returns>
public static async Task ReloadMountPluginsAsync(
this VaultClient client,
string[] mounts,
SystemBackendOptions options = null)
{
if (mounts == null || mounts.Length == 0)
{
throw new ArgumentNullException(nameof(mounts));
}
await client.WriteAsync($"sys/plugins/reload/backend",
new { mounts },
options : options);
}
/// <summary>
/// This endpoint revokes all secrets or tokens generated under a given prefix
/// immediately. Unlike /sys/leases/revoke-prefix, this path ignores backend errors
/// encountered during revocation. This is potentially very dangerous and should only
/// be used in specific emergency situations where errors in the backend or the
/// connected backend service prevent normal revocation.
/// </summary>
/// <param name="client"></param>
/// <param name="leaseId">Specifies the prefix to revoke.</param>
/// <param name="options"></param>
/// <remarks>
/// <b><i>This operation requires 'sudo' capability.</i></b>
/// <para>
/// By ignoring these errors, Vault abdicates responsibility for ensuring that
/// the issued credentials or secrets are properly revoked and/or cleaned up.
/// Access to this operation is typically tightly controlled.
/// </para>
/// </remarks>
public static async Task RevokeForceLeasesAsync(
this VaultClient client,
string prefix,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(prefix))
{
throw new ArgumentNullException(nameof(prefix));
}
await((IProtocolSource)client).Protocol.SendPutAsync <NoContentResponse>(
$"sys/leases/revoke-force/{prefix}",
options: options);
}
public static async Task <AuthBackendConfig> ReadAuthBackendTuningAsync(
this VaultClient client,
string authName,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(authName))
{
throw new ArgumentNullException(nameof(authName));
}
return(await((IProtocolSource)client).Protocol
.SendGetAsync <AuthBackendConfig>($"sys/auth/{authName}/tune",
options: options));
}
/// <summary>
/// Reloads mounted plugin backends.
/// </summary>
/// <param name="client"></param>
/// <param name="plugin">The name of the plugin to reload, as registered in the plugin
/// catalog.</param>
/// <param name="options"></param>
/// <remarks>
/// Used to reload mounted plugin backends. All mounted paths that use the plugin
/// backend will be reloaded.
/// </remarks>
public static async Task ReloadPluginAsync(
this VaultClient client,
string plugin,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(plugin))
{
throw new ArgumentNullException(nameof(plugin));
}
await client.WriteAsync($"sys/plugins/reload/backend",
new { plugin },
options : options);
}
/// <summary>
/// Can be used to rotate a wrapping token and refresh its TTL.
/// </summary>
/// <param name="client"></param>
/// <param name="token">Specifies the wrapping token ID.</param>
/// <param name="options"></param>
/// <returns></returns>
public static async Task <ReadResponse <EmptyData> > RewrapDataAsync(
this VaultClient client,
string token,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(token))
{
throw new ArgumentNullException(nameof(token));
}
return(await((IProtocolSource)client).Protocol.SendPostAsync <ReadResponse <EmptyData> >(
"sys/wrapping/rewrap",
new { token },
options: options));
}
/// <summary>
/// Lists the plugins in the catalog.
/// </summary>
/// <param name="client"></param>
/// <param name="name">Specifies the name of the plugin to retrieve.</param>
/// <param name="options"></param>
/// <remarks>
/// <para>
/// <b><i>sudo required – This operation requires sudo capability in addition to any
/// path-specific capabilities.</i></b>
/// </para>
/// </remarks>
public static async Task <ReadResponse <PluginInfo> > ReadPluginAsync(
this VaultClient client,
string name,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentNullException(nameof(name));
}
name = name.TrimStart('/');
return(await client.ReadAsync <ReadResponse <PluginInfo> >($"sys/plugins/catalog/{name}",
options : options));
}
/// <summary>
/// Removes the plugin with the given name.
/// </summary>
/// <param name="client"></param>
/// <param name="name">Specifies the name of the plugin to delete.</param>
/// <param name="options"></param>
/// <remarks>
/// <para>
/// <b><i>sudo required – This operation requires sudo capability in addition to any
/// path-specific capabilities.</i></b>
/// </para>
/// </remarks>
public static async Task RemovePluginAsync(
this VaultClient client,
string name,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentNullException(nameof(name));
}
name = name.TrimStart('/');
await client.DeleteAsync($"sys/plugins/catalog/{name}",
options : options);
}
/// <summary>
/// Rads the given mount's configuration. Unlike the <see cref="ListMountedBackendsAsync"
/// >mounts-listing routine</see>, this will return the current time in seconds
/// for each TTL, which may be the system default or a mount-specific value.
/// </summary>
/// <param name="client"></param>
/// <param name="path">Mount path to read configuration for.</param>
/// <param name="options"></param>
/// <returns></returns>
public static async Task <ReadResponse <Dictionary <string, object> > > ReadMountConfigurationAsync(
this VaultClient client,
string path,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(path))
{
throw new ArgumentNullException(nameof(path));
}
path = path.Trim('/');
return(await client.ReadAsync <ReadResponse <Dictionary <string, object> > >(
$"sys/mounts/{path}/tune",
options : options));
}
public static async Task UnmountBackendAsync(
this VaultClient client,
string path,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(path))
{
throw new ArgumentNullException(nameof(path));
}
path = path.Trim('/');
await((IProtocolSource)client).Protocol.SendDeleteAsync <NoContentResponse>(
$"sys/mounts/{path}",
options: options);
}
/// <summary>
/// Returns a list of lease IDs.
/// </summary>
/// <param name="prefix">Optional prefix to filter the list of leases.</param>
/// <remarks>
/// <b><i>This operation requires 'sudo' capability.</i></b>
/// </remarks>
public static async Task <ReadResponse <KeysData> > ListLeasesAsync(
this VaultClient client,
string prefix = null,
SystemBackendOptions options = null)
{
var path = "sys/leases/lookup/";
if (!string.IsNullOrEmpty(prefix))
{
path += $"{prefix.TrimStart('/')}";
}
return(await client.ListAsync <ReadResponse <KeysData> >(path,
on404 : resp => null,
options : options));
}
/// <summary>
/// Revokes a lease immediately.
/// </summary>
/// <param name="client"></param>
/// <param name="leaseId">Specifies the ID of the lease to revoke.</param>
/// <param name="options"></param>
public static async Task RevokeLeaseAsync(
this VaultClient client,
string leaseId,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(leaseId))
{
throw new ArgumentNullException(nameof(leaseId));
}
await((IProtocolSource)client).Protocol.SendPutAsync <NoContentResponse>(
"sys/leases/revoke",
new ReadLeaseRequest {
LeaseId = leaseId,
},
options: options);
}
/// <summary>
/// Retrieve lease metadata.
/// </summary>
/// <param name="client"></param>
/// <param name="leaseId">Specifies the ID of the lease to lookup.</param>
/// <param name="options"></param>
public static async Task <LeaseInfo> ReadLeaseAsync(
this VaultClient client,
string leaseId,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(leaseId))
{
throw new ArgumentNullException(nameof(leaseId));
}
return(await((IProtocolSource)client).Protocol.SendPutAsync <LeaseInfo>(
"sys/leases/lookup",
new ReadLeaseRequest {
LeaseId = leaseId
},
options: options));
}
public static async Task TuneAuthBackendAsync(this VaultClient client,
string authName,
AuthBackendConfig config,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(authName))
{
throw new ArgumentNullException(nameof(authName));
}
if (config == null)
{
throw new ArgumentNullException(nameof(config));
}
await((IProtocolSource)client).Protocol
.SendPostAsync <NoContentResponse>($"sys/auth/{authName}/tune",
config,
options: options);
}
/// <summary>
/// Unwraps a wrapped response.
/// </summary>
/// <param name="client"></param>
/// <param name="token">Specifies the wrapping token ID. This is required if the client
/// token is not the wrapping token. Do not use the wrapping token in both locations.</param>
/// <param name="options"></param>
/// <remarks>
/// <para>
/// This endpoint returns the original response inside the given wrapping token.
/// Unlike simply reading cubbyhole/response (which is deprecated), this endpoint
/// provides additional validation checks on the token, returns the original value
/// on the wire rather than a JSON string representation of it, and ensures that
/// the response is properly audit-logged.
/// </para><para>
/// This endpoint can be used by using a wrapping token as the client token in the
/// API call, in which case the token parameter is not required; or, a different
/// token with permissions to access this endpoint can make the call and pass in
/// the wrapping token in the token parameter. Do not use the wrapping token in
/// both locations; this will cause the wrapping token to be revoked but the value
/// to be unable to be looked up, as it will basically be a double-use of the token!
/// </para>
/// </remarks>
public static async Task <ReadResponse <T> > UnwrapData <T>(
this VaultClient client,
string token = null,
SystemBackendOptions options = null)
{
object payload;
if (token == null)
{
payload = new {}
}
;
else
{
payload = new { token }
};
return(await((IProtocolSource)client).Protocol.SendPostAsync <ReadResponse <T> >(
"sys/wrapping/unwrap",
payload,
options: options));
}
/// <summary>
/// Tunes configuration parameters for a given mount point.
/// </summary>
/// <param name="client"></param>
/// <param name="path">Mount path to tune configuration for.</param>
/// <param name="config">Configuration parameters to tune.</param>
/// <param name="options"></param>
/// <remarks>
/// <para>
/// Configuration parameters:
/// <list>
/// <item>default_lease_ttl</item>
/// <description>(int: 0) – Specifies the default time-to-live.
/// This overrides the global default.
/// A value of 0 is equivalent to the system default TTL.</description>
/// <item>max_lease_ttl</item>
/// <description>(int: 0) – Specifies the maximum time-to-live.
/// This overrides the global default. A value of 0 are equivalent
/// and set to the system max TTL.</description>
/// </list>
/// </para>
/// </remarks>
public static async Task TuneMountConfigurationAsync(
this VaultClient client,
string path,
Dictionary <string, object> config,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(path))
{
throw new ArgumentNullException(nameof(path));
}
if (config == null)
{
throw new ArgumentNullException(nameof(config));
}
path = path.Trim('/');
await((IProtocolSource)client).Protocol.SendPostAsync <NoContentResponse>(
$"sys/mounts/{path}",
config,
options: options);
}
/// <summary>
/// Remounts an already-mounted backend to a new mount point.
/// </summary>
/// <param name="client"></param>
/// <param name="from">Specifies the previous mount point.</param>
/// <param name="to">Specifies the new destination mount point.</param>
/// <param name="options"></param>
public static async Task RemountBackendAsync(
this VaultClient client,
string from,
string to,
SystemBackendOptions options = null)
{
if (string.IsNullOrEmpty(from))
{
throw new ArgumentNullException(nameof(from));
}
if (string.IsNullOrEmpty(to))
{
throw new ArgumentNullException(nameof(to));
}
from = from.Trim('/');
to = to.Trim('/');
await((IProtocolSource)client).Protocol.SendPostAsync <NoContentResponse>(
$"sys/remount",
new { from, to },
options: options);
}
/// <summary>
/// Wraps the given values in a response-wrapped token.
/// </summary>
/// <param name="client"></param>
/// <param name="data">Parameters should be supplied as keys/values in a dictionary or
/// custom user object. The exact set of given parameters will be contained in the
/// wrapped response.</param>
/// <param name="options"></param>
public static async Task <ReadResponse <EmptyData> > WrapDataAsync(
this VaultClient client,
object data,
Duration?wrapTtl = null,
SystemBackendOptions options = null)
{
if (data == null)
{
throw new ArgumentNullException(nameof(data));
}
if (!wrapTtl.HasValue && !(options?.WrapTtl.HasValue).HasValue)
{
throw new ArgumentNullException(nameof(wrapTtl),
"wrapping TTL must be specified in either parameter or options property");
}
if (wrapTtl.HasValue && (options?.WrapTtl.HasValue).HasValue)
{
throw new ArgumentException(nameof(wrapTtl),
"wrapping TTL cannot be specified in both parameter and options property");
}
CallOptions co = options;
if (co == null)
{
co = new CallOptions {
WrapTtl = wrapTtl
}
}
;
return(await((IProtocolSource)client).Protocol.SendPostAsync <ReadResponse <EmptyData> >(
"sys/wrapping/wrap",
data,
options: co));
}
