Go Client Library for Password Safe
The Go client library for Password Safe enables Go developers to easily manage passwords from Password Safe. It provides simplifications that significantly reduce the amount of code you need to write.
Prerequisites
The library supports retrieval of secrets from BeyondInsight/Password Safe versions 23.1 or greater.
Retrieve Secrets
- apiUrl:
- description: BeyondTrust Password Safe API URL.
- type: string
- required: True
- clientId:
- description: API OAuth Client ID.
- type: string
- required: True
- clientSecret:
- description: API OAuth Client Secret.
- type: string
- required: True
- secretPaths:
- description: List of secrets ["path/title","path/title"] or managed accounts ["ms/ma","ms/ma"] to be retrieved, separated by a comma.
- type: list
- required: True
- certificate:
- description: Content of the certificate (cert.pem) for use when authenticating with an API key using a Client Certificate.
- type: string
- required: False
- certificateKey:
- description: Certificate private key (key.pem). For use when authenticating with an API key.
- type: string
- required: False
- verifyCA:
- description: Indicates whether to verify the certificate authority on the Secrets Safe instance. Warning: false is insecure, instructs not to verify the certificate authority.
- type: boolean
- default: True
- required: False
- separator
- description: Indicates the separator used for Managed Accounts or Secrets Safe paths. The default separator is forwardslash. Use a different symbol, for example: root1-folder1-title1
- type: string
- default: /
- required: False
- clientTimeOutInSeconds
- description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body.
- type: int
- default: 30 seconds
- required: False
- retryMaxElapsedTimeMinutes
- description: After MaxElapsedTime the ExponentialBackOff returns Stop.
- type: int
- default: 2 minutes
- required: False
- maxFileSecretSizeBytes
- description: Max file size allows the user of the library to set a limit on the file size. If max size is exceeded an error is logged and the secret is ignored. Range 1-5000000 Bytes.
- type: int
- default: 4000
- required: false
Methods
- getSecrets(paths)
- Invoked for Managed Account or Secrets Safe secrets.
- Returns a dictionary of secrets path/secret key value pair.
- getSecret(path)
- Invoked for Managed Account or Secrets Safe secrets.
- Returns the requested secret.
Example of usage
The TestClient.go provides example usage of the library.
and execute:
go build
go run TestClient.go
Download the pfx certificate from Secrets Safe and extract the certificate and the key.
openssl pkcs12 -in client_certificate.pfx -nocerts -out ps_key.pem -nodes
openssl pkcs12 -in client_certificate.pfx -clcerts -nokeys -out ps_cert.pem
Copy the text from the ps_key.pem to a secret.
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Copy the text from the ps_cert.pem to a secret.
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Logging Abstraction
This library supports Zap, Logr, and go log package. The library can be extended to support other logging packages, see logging.go.
// create a zap logger
logger, _ := zap.NewProduction()
// logger, _ := zap.NewDevelopment()
// create a zap logger wrapper
zapLogger := logging.NewZapLogger(logger)
Unit Tests
go-client-library-passwordsafe\api\authentication> go test
go-client-library-passwordsafe\api\managed_account> go test
go-client-library-passwordsafe\api\secrets> go test
License
This software is distributed under the Massachusetts Institute of Technology (MIT) License. See LICENSE.txt
for more information.
Release Please App usage
In order to use Release Please App, we need to use conventional commits, but here is a more comprehensive guide about some conventional commits that we can use.
Some of the more important and common commit types are:
Type |
Description |
Triggers Release Please |
feat! |
Introduce a major change e.g. v1.0.0 to v2.0.0 |
Yes |
feat |
Introduce a minor change e.g. v1.0.0 to v1.1.0 |
Yes |
fix |
Introduce a patch change e.g. v1.0.0 to v1.0.1 |
Yes |
chore |
Could introduce a BREAKING CHANGE into the CHANGELOG |
Yes |
docs |
Documentation update |
No |
refactor |
A code change that neither fixes a bug nor adds a feature |
No |
test |
Adding or modifying tests |
No |
build |
Changes that affect the build system or external dependencies |
No |
ci |
Changes to CI configuration files and scripts |
No |
Remember, Release Please App will trigger once a PR with the conventional commit structure are merged into the main branch, so if you are working on features that are related to a Jira ticket, you can still use feat while developing, and because we can squash the commits once we want to merge the PR, only one commit with the conventional syntax will be on the history and on the changelog.
Run performance Tests
go run performancetest/PerformanceTest.go
In Other console run
# run web UI
go tool pprof -http=:8080 memory.pprof
go tool pprof -http=:8081 cpu.pprof
# run with not web UI
go tool pprof memory.pprof
go tool pprof cpu.pprof
# check functions memory and cpu usage
top
# go inside of function memory usage
list main.callPasswordSafeAPI
Fuzzing Testing
Run Fuzz Tests
go test -fuzz=FuzzGetManagedAccount -fuzztime=10s ./fuzzing//managed_accounts
go test -fuzz=FuzzGetSecret -fuzztime=10s ./fuzzing/secrets