abedra / libvault

A C++ library for Hashicorp Vault
MIT License
34 stars 26 forks source link

libvault

CMake Version

A C++ library for Hashicorp Vault

C++ 17

This project assumes a C++ 17 capable compiler. This includes GCC 8 or higher, and clang 3.8 or higher. Support for lower standards versions of C++ will not be accepted due to inconsistent implementations of optional.

Dependencies

Usage

The following example shows both a secret put and get. The most common scenario is get for most applications and the put will happen outside of the application by another process. Additional examples are located in the example directory.

#include <iostream>
#include <libvault/VaultClient.h>

int main(void)
{
  Vault::HttpErrorCallback httpErrorCallback = [&](std::string err) {
    std::cout << err << std::endl;
  };

  Vault::AppRoleStrategy authStrategy{
    Vault::RoleId{"<role_id>"},
    Vault::SecretId{"<secret_id>"}
  };

  Vault::Config config = Vault::ConfigBuilder().build();
  Vault::Client vaultClient{config, authStrategy, httpErrorCallback};
  Vault::SecretMount mount{"/test"};
  Vault::KeyValue kv{vaultClient, mount};
  Vault::Path key{"hello"};
  Vault::Parameters parameters(
    {
      {"foo","world"},
      {"baz","quux"},
      {"something", "something else"},
    }
  );

  kv.create(key, parameters);

  std::cout << kv.read(key).value() << std::endl;
}

JSON Serialization

This project uses nlohmann/json internally but does not expose it. This project makes no assumptions about serialization and returns std:string values that can be serialized by the tooling of your choice. Should you choose to use nlohmann/json you can add the json.hpp file to your project. This project's integration tests have multiple examples of how to use it.

Feature Support

The following tables show support for each of the secret backends, auth methods, and system endpoints. Because the surface area is so large, endpoints are implemented as needed. Pull requests are welcome. Feel free to file an issue or submit a pull request for additional support.

Secret Backend Implemented Integration Tested
Active Directory Yes No
Ali Cloud Yes No
AWS Yes No
Azure Yes No
Consul Yes No
Cubbyhole Yes Yes
Cassandra Yes No
Couchbase Yes No
Elasticsearch Yes No
Influxdb Yes No
HanaDB Yes No
MongoDB Yes No
MongoDB Atlas Yes No
MSSQL Yes No
MySQL/MariaDB Yes No
Oracle Yes No
PostgreSQL Yes Partial
Redshift Yes No
Google Cloud Yes No
Google Cloud KMS Yes No
Key Management* Yes No*
KMIP Yes No*
Key/Value V1 Yes Partial
Key/Value V2 Yes Partial
Identity Yes No
MongoDB Atlas Yes No
Nomad Yes No
OpenLDAP Yes No
PKI Yes Partial
RabbitMQ Yes Partial
SSH Yes No
TOTP Yes Yes
Transform Yes No*
Transit Yes Partial

* Requires an enterprise license and cannot be integration tested

Auth Method Implemented Integration Tested
AliCloud Yes No
AppRole Yes Yes
AWS Yes No
Azure Yes No
Cloud Foundry Yes No
GitHub Yes No
Google Cloud Yes No
JWT/OIDC Yes No
Kerberos Yes No
Kubernetes Yes No
LDAP Yes No
OCI Yes No
Okta Yes No
RADIUS Yes No
TLS Certificate Yes No
Tokens Yes Yes
Username/Password Yes No

* Requires an enterprise license and cannot be integration tested

System Backend Implemented Integration Tested
/sys/health Yes Yes
/sys/leader Yes Yes
/sys/auth Yes Yes
/sys/wrapping Yes Yes
/sys/audit Yes No
/sys/audit-hash Yes No
/sys/capabilities Yes No
/sys/capabilities-accessor Yes No
/sys/capabilities-self Yes No
/sys/config/auditing Yes No
/sys/config/control-group Yes No
/sys/config/cors Yes No
/sys/config/state Yes No
/sys/config/ui Yes No
/sys/control-group Yes No
/sys/host-info Yes No
/sys/init Yes No
/sys/internal/counters Yes No
/sys/plugins/reload/backend Yes No
/sys/internal/ui/mounts Yes No
/sys/key-status Yes No
/sys/leases Yes No
/sys/license Yes No
/sys/metrics Yes No
/sys/mounts Yes No
/sys/remount Yes No
/sys/rotate Yes No
/sys/seal Yes No
/sys/seal-status Yes No
/sys/step-down Yes No
/sys/unseal Yes No
/sys/mfa Yes No
/sys/namespaces Yes No*
/sys/generate-root Yes No
/sys/internal/specs/openapi Yes No
/sys/plugins/catalog Yes No
/sys/policy Yes No
/sys/policies Yes No*
/sys/pprof Yes No
/sys/raw Yes No
/sys/sealwrap/rewrap Yes No
/sys/tools Yes No
/sys/rekey No No
/sys/rekey-recovery-key No No
/sys/replication No No
/sys/storage No No

* Requires an enterprise license and cannot be integration tested

Compile and Install

This project uses CMake. To build the library run the following commands from the project root:

mkdir build
cd build
cmake ../
make

Compile Options

The following custom options can be provided to CMake to control your build:

Local Development

This project uses a standard C++ development with CMake environment. Additionally, a running and configured instance of Vault is required to run the integration tests. This project contains scripts that will download Vault, configure it, and run it. You are of course welcome to use your own Vault instance, but you will need to use the configuration from the script folder for the tests to pass.

Vault Setup

Use the provided scripts to setup and run your Vault environment:

$ script/fetch_vault
$ script/vault
# In another terminal window
$ script/bootstrap

This will ensure you have a working instance of Vault that will work with the integration tests. Note that this setup does not demonstrate a production worthy configuration and should only be used for reference or inside of this project. For you production Vault setup please consult the Hashicorp Vault best practices.