149 lines
7.0 KiB
XML
149 lines
7.0 KiB
XML
<?xml version="1.0" encoding="UTF-8" ?>
|
|
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
|
|
elementFormDefault="qualified"
|
|
attributeFormDefault="unqualified">
|
|
|
|
<xs:include schemaLocation="./gpg.xsd"/>
|
|
<xs:include schemaLocation="./net.xsd"/>
|
|
<xs:include schemaLocation="./std.xsd"/>
|
|
<xs:include schemaLocation="./unix.xsd"/>
|
|
|
|
<xs:complexType name="t_vaultpass_auth_plain">
|
|
<xs:choice minOccurs="1" maxOccurs="1">
|
|
<xs:element name="appRole">
|
|
<xs:complexType>
|
|
<xs:all>
|
|
<xs:element name="role" type="xs:token" minOccurs="1" maxOccurs="1"/>
|
|
<xs:element name="secret" type="xs:token" minOccurs="1" maxOccurs="1"/>
|
|
</xs:all>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!-- We don't support Boto3 because it requires an external session object. -->
|
|
<!-- We won't support EC2 Metadata auth unless requested because it's HELL complex. -->
|
|
<!-- TODO -->
|
|
<!--
|
|
<xs:element name="aws">
|
|
<xs:complexType>
|
|
<xs:choice minOccurs="1" maxOccurs="1">
|
|
<xs:element name="iam">
|
|
<xs:complexType>
|
|
<xs:choice minOccurs="1" maxOccurs="1">
|
|
<xs:element name="iamKey">
|
|
<xs:complexType>
|
|
<xs:all>
|
|
<xs:element name="keyID" type="xs:token" minOccurs="1" maxOccurs="1"/>
|
|
<xs:element name="key" type="xs:token" minOccurs="1" maxOccurs="1"/>
|
|
<xs:element name="sessionToken" type="xs:token" minOccurs="0"
|
|
maxOccurs="1"/>
|
|
</xs:all>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="iamMetadata">
|
|
<xs:complexType>
|
|
<xs:all>
|
|
<xs:element name="urlBase" type="t_net_http_basic_uri" minOccurs="1"
|
|
maxOccurs="1"/>
|
|
<xs:element name="role" type="xs:token" minOccurs="1" maxOccurs="1"/>
|
|
</xs:all>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
</xs:choice>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
</xs:choice>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
-->
|
|
<!-- TODO: if popularly requested.
|
|
They're pretty complex/messy and/or require extra configuration in Vault. -->
|
|
<!--
|
|
<xs:element name="azure"/>
|
|
<xs:element name="gcp"/>
|
|
<xs:element name="github"/>
|
|
<xs:element name="kubernetes"/>
|
|
-->
|
|
<!-- Requires extra configuration but it's probably pretty common, so I'll enable it. -->
|
|
<xs:element name="ldap">
|
|
<xs:complexType>
|
|
<xs:all>
|
|
<xs:element name="username" type="xs:token" minOccurs="1" maxOccurs="1"/>
|
|
<xs:element name="password" type="xs:token" minOccurs="1" maxOccurs="1"/>
|
|
<xs:element name="mountPoint" type="xs:token" minOccurs="0" maxOccurs="1" default="ldap"/>
|
|
</xs:all>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!-- No longer supported upstream by HashiCorp. -->
|
|
<!--
|
|
<xs:element name="mfa"/>
|
|
-->
|
|
<!-- TODO: if popularly requested. -->
|
|
<!--
|
|
<xs:element name="okta"/>
|
|
-->
|
|
<xs:element name="token">
|
|
<xs:complexType>
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:token">
|
|
<xs:attribute name="source" type="t_vaultpass_tokensource" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="userpass">
|
|
<xs:complexType>
|
|
<xs:all>
|
|
<xs:element name="username" type="xs:token" minOccurs="1" maxOccurs="1"/>
|
|
<xs:element name="password" type="xs:token" minOccurs="1" maxOccurs="1"/>
|
|
<xs:element name="mountPoint" type="xs:token" minOccurs="0" maxOccurs="1" default="userpass"/>
|
|
</xs:all>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
</xs:choice>
|
|
</xs:complexType>
|
|
|
|
<xs:simpleType name="t_vaultpass_mount_path">
|
|
<xs:restriction base="xs:token">
|
|
<!-- I can't believe Vault accepts this charset for mount names. -->
|
|
<xs:pattern value="[A-Za-z0-9!"#$%&'()*+,./:;=<>\?\\@\[\]\^_`{|}~-]+"/>
|
|
<xs:whiteSpace value="collapse"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:complexType name="t_vaultpass_mount">
|
|
<xs:simpleContent>
|
|
<xs:extension base="t_vaultpass_mount_path">
|
|
<xs:attribute name="type" use="optional" default="kv2">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:token">
|
|
<xs:enumeration value="cubbyhole"/>
|
|
<xs:enumeration value="kv1"/>
|
|
<xs:enumeration value="kv2"/>
|
|
<!-- TODO: can any of the below be enabled? -->
|
|
<!-- more at .../ui/vault/settings/mount-secret-backend -->
|
|
<!--
|
|
<xs:enumeration value="pki"/>
|
|
<xs:enumeration value="ssh"/>
|
|
<xs:enumeration value="transit"/>
|
|
<xs:enumeration value="totp"/>
|
|
-->
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="t_vaultpass_star_gpg">
|
|
<xs:simpleContent>
|
|
<xs:extension base="t_unix_filepath">
|
|
<xs:attribute name="gpgHome" type="t_unix_filepath" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
|
|
<xs:simpleType name="t_vaultpass_tokensource">
|
|
<xs:union memberTypes="t_std_envvar t_unix_filepath"/>
|
|
</xs:simpleType>
|
|
|
|
</xs:schema>
|