secrets

package module
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 24, 2024 License: MIT Imports: 23 Imported by: 9

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MakeRenewalLogger

func MakeRenewalLogger(cm ClientManager, log log.LeveledLogger, terminator func()) service.RunnerFunc

MakeRenewalLogger subscribes to a ClientManager notification channel and logs those to the logger. If a critical credential fails the terminator callback will be called which should shut down the application in an orderly fashion.

Types

type AAD

type AAD struct {
	Key   string
	Value any
}

AAD holds additional authenticated data for AEAD ciphers

func (AAD) String

func (a AAD) String() string

type AWSCredential

type AWSCredential struct {
	AccessKeyId     string `json:"access_key" mapstructure:"access_key" yaml:"access_key"`
	SecretAccessKey string `json:"secret_key" mapstructure:"secret_key" yaml:"secret_key"`
	SessionToken    string `json:"security_token" mapstructure:"security_token" yaml:"security_token"`
}

type ApiKey

type ApiKey struct {
	Key string `json:"key" mapstructure:"key" yaml:"key"`
}

func MustGetApiKey

func MustGetApiKey(c Client, ctx context.Context, path string) *ApiKey

type Client

type Client interface {
	DatabaseCredential(ctx context.Context, suffix string) (*Credential, Handle, error)
	Secret(ctx context.Context, suffix string, out any) (Handle, error)
	RawSecret(ctx context.Context, path string, out any) (Handle, error)
	AWSIAMUser(ctx context.Context, name string) (*AWSCredential, Handle, error)
	AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error)
	AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error)
	WriteSecret(ctx context.Context, suffix string, out any) error
	Encrypt(ctx context.Context, suffix string, data []byte) (string, error)
	Decrypt(ctx context.Context, suffix, data string) ([]byte, error)
	EncryptAEAD(ctx context.Context, suffix string, data []byte, aad []fmt.Stringer) (string, error)
	DecryptAEAD(ctx context.Context, suffix, data string, aad []fmt.Stringer) ([]byte, error)
	Destroy(Handle) error
	MakeNonCritical(Handle) error
}

Client is the interface that users of secrets returned by a secret back-end should expect. This interface contains only secret related functionality and none of the functions for running the back-end itself. This is separate from the manager functions to make it easier to inject stubs to code that doesn't care about the fact that a manager may exist.

type ClientManager

type ClientManager interface {
	Client
	Authenticate(context.Context) error
	Notifications() <-chan Renewal
	Run(context.Context, *sync.WaitGroup) error
}

ClientManager is like a Client, and contains a Client, but also contains other runtime functionality for running the secret back-end infrastructure that most consumers of secretes don't care about but the main process runner does.

func NewConfigFileClient

func NewConfigFileClient(filesystem fs.FS, name, key string) (ClientManager, error)

NewConfigFileClient creates a new ConfigFileClient by loading a named config file from a filesystem and unmarshalling it. The config file can be in JSON or YAML format, determined by a .json, .yaml, or .yml extension. The configuration must be nested within a key in that file to support sharing the file with other subsystems.

Credentials should be stored in the config file in a format that matches their definitions in client.go

func NewNoopClient

func NewNoopClient() (ClientManager, error)

func NewVaultClient

func NewVaultClient(cfg *VaultClientConfig) (ClientManager, error)

NewVaultClient will attempt to create a secrets.Client from the passed config. Config can be nil, in which case an attempt will be made to load the configuration from environment variables. See VaultClientConfig for the expected names of those variables.

type ConfigFileClient

type ConfigFileClient struct {
	// contains filtered or unexported fields
}

ConfigFileClient returns secrets from a JSON or YAML configuration file. This mode isn't as secure as using Vault or some other secret management service but can be useful for users who don't have access to such a service.

Writes to this secret client will silently succeed while doing nothing.

func (*ConfigFileClient) AWSAssumeRole

func (c *ConfigFileClient) AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error)

func (*ConfigFileClient) AWSAssumeRoleSimple

func (c *ConfigFileClient) AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*ConfigFileClient) AWSIAMUser

func (c *ConfigFileClient) AWSIAMUser(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*ConfigFileClient) Authenticate

func (c *ConfigFileClient) Authenticate(ctx context.Context) error

func (*ConfigFileClient) DatabaseCredential

func (c *ConfigFileClient) DatabaseCredential(ctx context.Context, path string) (*Credential, Handle, error)

func (*ConfigFileClient) Decrypt

func (c *ConfigFileClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error)

func (*ConfigFileClient) DecryptAEAD

func (c *ConfigFileClient) DecryptAEAD(ctx context.Context, suffix, data string, aad []fmt.Stringer) ([]byte, error)

func (*ConfigFileClient) Destroy

func (c *ConfigFileClient) Destroy(h Handle) error

func (*ConfigFileClient) Encrypt

func (c *ConfigFileClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error)

func (*ConfigFileClient) EncryptAEAD

func (c *ConfigFileClient) EncryptAEAD(ctx context.Context, suffix string, data []byte, aad []fmt.Stringer) (string, error)

func (*ConfigFileClient) MakeNonCritical

func (c *ConfigFileClient) MakeNonCritical(h Handle) error

func (*ConfigFileClient) Notifications

func (c *ConfigFileClient) Notifications() <-chan Renewal

func (*ConfigFileClient) RawSecret

func (c *ConfigFileClient) RawSecret(ctx context.Context, path string, out any) (Handle, error)

func (*ConfigFileClient) Run

func (*ConfigFileClient) Secret

func (c *ConfigFileClient) Secret(ctx context.Context, path string, out any) (Handle, error)

func (*ConfigFileClient) WriteSecret

func (c *ConfigFileClient) WriteSecret(ctx context.Context, path string, in any) error

type ConfigFileHandle

type ConfigFileHandle struct{}

func (*ConfigFileHandle) Reference

func (h *ConfigFileHandle) Reference() string

type Credential

type Credential struct {
	Username string `json:"username" mapstructure:"username" yaml:"username"`
	Password string `json:"password" mapstructure:"password" yaml:"password"`
}

func MustGetCredential

func MustGetCredential(c Client, ctx context.Context, path string) *Credential

type Handle

type Handle interface {
	Reference() string
}

type NoopClient

type NoopClient struct {
	// contains filtered or unexported fields
}

NoopClient does nothing and will never fail. It returns empty but non-nil credentials and handles where needed. This is useful for when code paths expect a secret client but using one is not needed.

func (*NoopClient) AWSAssumeRole

func (c *NoopClient) AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error)

func (*NoopClient) AWSAssumeRoleSimple

func (c *NoopClient) AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*NoopClient) AWSIAMUser

func (c *NoopClient) AWSIAMUser(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*NoopClient) Authenticate

func (c *NoopClient) Authenticate(ctx context.Context) error

func (*NoopClient) DatabaseCredential

func (c *NoopClient) DatabaseCredential(ctx context.Context, path string) (*Credential, Handle, error)

func (*NoopClient) Decrypt

func (c *NoopClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error)

func (*NoopClient) DecryptAEAD

func (c *NoopClient) DecryptAEAD(ctx context.Context, suffix, data string, aad []fmt.Stringer) ([]byte, error)

func (*NoopClient) Destroy

func (c *NoopClient) Destroy(h Handle) error

func (*NoopClient) Encrypt

func (c *NoopClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error)

func (*NoopClient) EncryptAEAD

func (c *NoopClient) EncryptAEAD(ctx context.Context, suffix string, data []byte, aad []fmt.Stringer) (string, error)

func (*NoopClient) MakeNonCritical

func (c *NoopClient) MakeNonCritical(h Handle) error

func (*NoopClient) Notifications

func (c *NoopClient) Notifications() <-chan Renewal

func (*NoopClient) RawSecret

func (c *NoopClient) RawSecret(ctx context.Context, path string, out any) (Handle, error)

func (*NoopClient) Run

func (c *NoopClient) Run(ctx context.Context, wg *sync.WaitGroup) error

func (*NoopClient) Secret

func (c *NoopClient) Secret(ctx context.Context, path string, out any) (Handle, error)

func (*NoopClient) WriteSecret

func (c *NoopClient) WriteSecret(ctx context.Context, path string, in any) error

type NoopHandle

type NoopHandle struct{}

func (*NoopHandle) Reference

func (h *NoopHandle) Reference() string

type RSAKey

type RSAKey struct {
	Key string `json:"key" mapstructure:"key" yaml:"key"`
}

func MustGetRSAKey

func MustGetRSAKey(c Client, ctx context.Context, path string) *RSAKey

func (*RSAKey) RSAPrivateKey

func (k *RSAKey) RSAPrivateKey() (*rsa.PrivateKey, error)

type Renewal

type Renewal struct {
	Name     string
	Critical bool
	Time     time.Time
	Error    error
}

type VaultClient

type VaultClient struct {
	sync.Mutex
	// contains filtered or unexported fields
}

func (*VaultClient) AWSAssumeRole

func (c *VaultClient) AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error)

func (*VaultClient) AWSAssumeRoleSimple

func (c *VaultClient) AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*VaultClient) AWSIAMUser

func (c *VaultClient) AWSIAMUser(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*VaultClient) Authenticate

func (c *VaultClient) Authenticate(ctx context.Context) error

func (*VaultClient) DatabaseCredential

func (c *VaultClient) DatabaseCredential(ctx context.Context, suffix string) (*Credential, Handle, error)

func (*VaultClient) Decrypt

func (c *VaultClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error)

func (*VaultClient) DecryptAEAD

func (c *VaultClient) DecryptAEAD(ctx context.Context, suffix, data string, aad []fmt.Stringer) ([]byte, error)

func (*VaultClient) Destroy

func (c *VaultClient) Destroy(h Handle) error

func (*VaultClient) Encrypt

func (c *VaultClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error)

func (*VaultClient) EncryptAEAD

func (c *VaultClient) EncryptAEAD(ctx context.Context, suffix string, data []byte, aad []fmt.Stringer) (string, error)

func (*VaultClient) MakeNonCritical

func (c *VaultClient) MakeNonCritical(h Handle) error

func (*VaultClient) Notifications

func (c *VaultClient) Notifications() <-chan Renewal

func (*VaultClient) RawSecret

func (c *VaultClient) RawSecret(ctx context.Context, path string, out any) (Handle, error)

func (*VaultClient) Run

func (c *VaultClient) Run(ctx context.Context, wg *sync.WaitGroup) error

func (*VaultClient) Secret

func (c *VaultClient) Secret(ctx context.Context, suffix string, out any) (Handle, error)

func (*VaultClient) VaultToken

func (c *VaultClient) VaultToken() string

VaultToken is not part of the official API but is exposed for clients that need to gain access to this for some reason. There are no compatibility guarantees with this method and it's use limits portability.

func (*VaultClient) WriteSecret

func (c *VaultClient) WriteSecret(ctx context.Context, suffix string, in any) error

type VaultClientConfig

type VaultClientConfig struct {
	Host        string `env:"VAULT_ADDR"`
	Token       string `env:"VAULT_TOKEN"`
	RoleId      string `env:"VAULT_ROLE_ID"`
	RoleSecret  string `env:"VAULT_SECRET_ID"`
	Increment   int    `env:"VAULT_INCREMENT"`
	AppRoleAuth *approle.AppRoleAuth
}

func (*VaultClientConfig) Validate

func (c *VaultClientConfig) Validate() error

type VaultHandle

type VaultHandle struct {
	// contains filtered or unexported fields
}

func (*VaultHandle) Reference

func (h *VaultHandle) Reference() string

type VaultServiceClient

type VaultServiceClient interface {
	Auth() *api.Auth
	Sys() *api.Sys
	Token() string
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL