Vaultx.Base.Security (Vaultx v0.7.0)
View SourceEnterprise-grade security utilities for Vaultx HashiCorp Vault client.
This module implements comprehensive security measures including input validation, sensitive data sanitization, SSL/TLS verification, token validation, and security audit logging. All security features follow industry best practices and compliance requirements.
Security Architecture
- Defense in Depth: Multiple layers of security validation
- Zero Trust: All inputs are validated and sanitized
- Compliance Ready: Audit logging for regulatory requirements
- Performance Optimized: Compile-time optimizations where possible
- Configurable: Security levels can be adjusted per environment
Core Security Features
Input Validation
- Type-safe validation with compile-time guards
- Path traversal prevention
- Injection attack prevention
Data Protection
- Automatic sensitive data redaction in logs
- Memory-safe string handling
- Secure token storage and transmission
Network Security
- SSL/TLS certificate validation
- Hostname verification
- Cipher suite validation
Compliance Standards
This module helps meet various compliance requirements:
- SOC 2 Type II
- PCI DSS
- HIPAA
- GDPR data protection
References
- Always use HTTPS in production
- Enable SSL certificate verification
- Use strong authentication methods
- Regularly rotate tokens and credentials
- Monitor and log security events
- Validate all inputs with type safety
- Sanitize sensitive data in logs
Examples
# Validate SSL configuration
case Vaultx.Base.Security.validate_ssl_config(config) do
:ok -> :ok
{:error, reason} -> handle_security_error(reason)
end
# Validate token format
case Vaultx.Base.Security.validate_token(token) do
:ok -> use_token(token)
{:error, reason} -> handle_invalid_token(reason)
end
# Audit log security events
Vaultx.Base.Security.audit_log(:authentication, :success, %{
user_id: "user123",
method: :token,
ip_address: "192.168.1.1"
})Summary
Functions
Logs security audit events with structured metadata.
Generates a secure request ID for tracing and audit purposes.
Sanitizes data for safe logging by removing sensitive information.
Validates input data for security compliance.
Validates a Vault path format and security compliance.
Validates SSL/TLS configuration for secure communication.
Validates token format and security compliance.
Validates URL for security compliance.
Types
@type audit_event_type() ::
:authentication
| :authorization
| :token_creation
| :token_revocation
| :secret_generation
| :secret_destruction
| :role_management
| :lease_renewal
| :lease_revocation
| :lease_revoke_prefix
| :lease_revoke_force
| :lease_maintenance
| :http
@type audit_metadata() :: map()
@type audit_result() :: :success | :failure | :attempt
@type ssl_config() :: map()
@type token() :: String.t()
@type validation_result() :: :ok | {:error, String.t()}
Functions
@spec audit_log(audit_event_type(), audit_result(), audit_metadata()) :: :ok
Logs security audit events with structured metadata.
Parameters
event_type- Type of security eventresult- Result of the operation (:success, :failure, :attempt)metadata- Additional context and metadata
Examples
Vaultx.Base.Security.audit_log(:authentication, :success, %{
user_id: "user123",
method: :token,
duration_ms: 150
})@spec generate_request_id() :: String.t()
Generates a secure request ID for tracing and audit purposes.
Returns
A UUID v4 string for request tracking
Examples
iex> id = Vaultx.Base.Security.generate_request_id()
iex> String.length(id)
36Sanitizes data for safe logging by removing sensitive information.
Parameters
data- Data to sanitize
Returns
- Sanitized data with sensitive fields redacted
Examples
iex> Vaultx.Base.Security.sanitize_for_logging(%{token: "secret", data: "safe"})
%{token: "[REDACTED]", data: "safe"}@spec validate_input( term(), keyword() ) :: validation_result()
Validates input data for security compliance.
Parameters
data- Data to validateopts- Validation options
Returns
:ok- Data is valid and secure{:error, reason}- Data has security issues
Examples
iex> Vaultx.Base.Security.validate_input("safe_data", max_length: 100)
:ok
iex> Vaultx.Base.Security.validate_input("<script>alert('xss')</script>")
{:error, "Input contains potentially dangerous content"}@spec validate_path(String.t()) :: validation_result()
Validates a Vault path format and security compliance.
Parameters
path- Path string to validate
Returns
:ok- Path is valid and secure{:error, reason}- Path has security issues
Examples
iex> Vaultx.Base.Security.validate_path("secret/myapp/config")
:ok
iex> Vaultx.Base.Security.validate_path("../../../etc/passwd")
{:error, "Path traversal detected"}@spec validate_ssl_config(ssl_config()) :: validation_result()
Validates SSL/TLS configuration for secure communication.
Parameters
config- SSL configuration map
Returns
:ok- Configuration is valid and secure{:error, reason}- Configuration has security issues
Examples
iex> Vaultx.Base.Security.validate_ssl_config(%{verify: :verify_peer})
:ok
iex> Vaultx.Base.Security.validate_ssl_config(%{verify: :verify_none})
{:error, "SSL verification disabled - security risk"}@spec validate_token(token()) :: validation_result()
Validates token format and security compliance.
Parameters
token- Token string to validate
Returns
:ok- Token is valid and secure{:error, reason}- Token has security issues
Examples
iex> Vaultx.Base.Security.validate_token("hvs.valid_token_format")
:ok
iex> Vaultx.Base.Security.validate_token("short")
{:error, "Token too short - minimum 8 characters required"}@spec validate_url(String.t()) :: validation_result()
Validates URL for security compliance.
Parameters
url- URL string to validate
Returns
:ok- URL is valid and secure{:error, reason}- URL has security issues
Examples
iex> Vaultx.Base.Security.validate_url("https://vault.example.com")
:ok
iex> Vaultx.Base.Security.validate_url("http://vault.example.com")
{:error, "HTTP URLs are not secure - use HTTPS"}