some basics for VaultPass

This commit is contained in:
brent s. 2020-03-27 09:03:43 -04:00
parent 4a4f5871b1
commit 34b2c35c11
Signed by: bts
GPG Key ID: 8C004C2F93481F6B
7 changed files with 143 additions and 3 deletions

View File

@ -10,7 +10,7 @@
<xs:include schemaLocation="./unix.xsd"/>
<xs:include schemaLocation="../elements/linux.xsd"/>

<xs:simpleType name="t_aif_auto_ip6">
<xs:simpleType name="t_aif_auto_ip6">
<xs:union memberTypes="t_net_auto_ip6">
<xs:simpleType>
<xs:restriction base="xs:string">

View File

@ -90,6 +90,15 @@
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="t_net_http_basic_uri">
<xs:simpleContent>
<xs:restriction base="xs:anyURI">
<xs:pattern value="https?://.+/?"/>
<xs:whiteSpace value="collapse"/>
</xs:restriction>
</xs:simpleContent>
</xs:complexType>

<xs:simpleType name="t_net_mac_addr">
<xs:restriction base="xs:token">
<!-- EUI48[RFC7043§3] (previously MAC48[RFC7042§2.1]) -->

View File

@ -10,6 +10,14 @@
</xs:restriction>
</xs:simpleType>
<xs:complexType name="t_std_base64">
<xs:simpleContent>
<xs:restriction base="xs:token">
<xs:pattern value="[A-Za-z0-9+/=]+"/>
</xs:restriction>
</xs:simpleContent>
</xs:complexType>

<xs:complexType name="t_std_cmdopts">
<xs:simpleContent>
<xs:extension base="xs:string">
@ -18,6 +26,13 @@
</xs:simpleContent>
</xs:complexType>

<xs:simpleType name="t_std_envvar">
<xs:restriction base="xs:token">
<xs:pattern value="env:[A-Za-z_]+[A-Za-z0-9_]*"/>
<xs:whiteSpace value="collapse"/>
</xs:restriction>
</xs:simpleType>

<xs:simpleType name="t_std_epoch_or_iso">
<!-- positiveInteger is used for UNIX Epoch. -->
<xs:union memberTypes="xs:dateTime xs:positiveInteger"/>

View File

@ -7,7 +7,7 @@

<xs:simpleType name="t_unix_filepath">
<xs:restriction base="xs:string">
<xs:pattern value="\s*(/[^/]+)+/?\s*"/>
<xs:pattern value="\s*(~?/[^/]+)+/?\s*"/>
<xs:whiteSpace value="collapse"/>
</xs:restriction>
</xs:simpleType>

View File

@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
attributeFormDefault="unqualified">

<xs:include schemaLocation="./net.xsd"/>
<xs:include schemaLocation="./std.xsd"/>
<xs:include schemaLocation="./unix.xsd"/>

<xs:complexType name="t_vaultpass_auth">
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="appRole">
<xs:complexType>
<xs:all>
<xs:element name="role" type="xs:token" minOccurs="1" maxOccurs="1"/>
<xs:element name="secret" type="xs:token" minOccurs="1" maxOccurs="1"/>
</xs:all>
</xs:complexType>
</xs:element>
<!-- We don't support Boto3 because it requires an external session object. -->
<!-- We won't support EC2 Metadata auth unless requested because it's HELL complex. -->
<!-- TODO -->
<!--
<xs:element name="aws">
<xs:complexType>
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="iam">
<xs:complexType>
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="iamKey">
<xs:complexType>
<xs:all>
<xs:element name="keyID" type="xs:token" minOccurs="1" maxOccurs="1"/>
<xs:element name="key" type="xs:token" minOccurs="1" maxOccurs="1"/>
<xs:element name="sessionToken" type="xs:token" minOccurs="0"
maxOccurs="1"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="iamMetadata">
<xs:complexType>
<xs:all>
<xs:element name="urlBase" type="t_net_http_basic_uri" minOccurs="1"
maxOccurs="1"/>
<xs:element name="role" type="xs:token" minOccurs="1" maxOccurs="1"/>
</xs:all>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
</xs:element>
-->
<!-- TODO: if popularly requested.
They're pretty complex/messy and/or require extra configuration in Vault. -->
<!--
<xs:element name="azure"/>
<xs:element name="gcp"/>
<xs:element name="github"/>
<xs:element name="kubernetes"/>
-->
<!-- Requires extra configuration but it's probably pretty common, so I'll enable it. -->
<xs:element name="ldap">
<xs:complexType>
<xs:all>
<xs:element name="username" type="xs:token" minOccurs="1" maxOccurs="1"/>
<xs:element name="password" type="xs:token" minOccurs="1" maxOccurs="1"/>
<xs:element name="mountPoint" type="xs:token" minOccurs="0" maxOccurs="1" default="ldap"/>
</xs:all>
</xs:complexType>
</xs:element>
<!-- No longer supported upstream by HashiCorp. -->
<!--
<xs:element name="mfa"/>
-->
<!-- TODO: if popularly requested. -->
<!--
<xs:element name="okta"/>
-->
<xs:element name="token">
<xs:complexType>
<xs:attribute name="source" type="t_vaultpass_tokensource" use="optional"/>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
<xs:simpleType name="t_vaultpass_tokensource">
<xs:union memberTypes="t_std_envvar t_unix_filepath xs:token"/>
</xs:simpleType>

</xs:schema>

View File

@ -270,7 +270,7 @@
<xs:complexType>
<xs:attribute name="type" type="t_aif_bootloaders" use="required"/>
<xs:attribute name="target" type="t_std_nonempty" use="required"/>
<xs:attribute name="efi" type="xs:boolean" use="optional" default="1"/>
<xs:attribute name="efi" type="xs:boolean" use="optional" default="true"/>
</xs:complexType>
</xs:element>
<!-- END BOOTLOADER -->

View File

@ -0,0 +1,22 @@
<?xml version="1.0" encoding="UTF-8" ?>
<xs:schema targetNamespace="https://git.square-r00t.net/VaultPass/"
xmlns="https://git.square-r00t.net/VaultPass/"
xmlns:vaultpass="https://git.square-r00t.net/VaultPass/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
attributeFormDefault="unqualified">

<xs:include schemaLocation="../lib/types/vaultpass.xsd"/>

<!-- ROOT -->
<xs:element name="vaultpass">
<xs:complexType>
<xs:all>
<xs:element name="uri" type="t_std_uri" minOccurs="0" maxOccurs="1" default="http://localhost:8000/"/>
<xs:element name="auth" type="t_vaultpass_auth"/>
</xs:all>
<xs:attribute name="autoUnseal" type="xs:boolean" use="optional" default="false"/>
<xs:attribute name="unsealShard" type="t_std_base64" use="optional"/>
</xs:complexType>
</xs:element>
</xs:schema>