Documentation
¶
Overview ¶
The secrets package provides methods for generate, storing, and retrieving secrets data.
Eventually, we hope to replace the file-system based code in here with code that makes use of a service (secrets-service) or Habitat.
Index ¶
Constants ¶
const ( // DefaultDiskStoreDataDir is the default directory that we will use when // instantiating our disk-based data store. We allow overriding this // for local testing. DefaultDiskStoreDataDir = "/hab/svc/deployment-service/data/shared" // DefaultDiskStoreDataOwner is the user who should own all // files and directories in the disk store. // // TODO(ssd) 2018-08-20: This is unsafe currently because all of our // services run as the same user. In Chef Server, we have root own the // secrets store, read the secrets as root, and then drop privs when // we exec the command. DefaultDiskStoreDataOwner = "hab" // SecretFileExtension is the extension name for the encrypted secrets file SecretFileExtension = ".enc" )
Variables ¶
var BifrostSuperuserIDName = SecretName{
Group: "oc_bifrost",
Name: "superuser_id",
}
Commonly used secrets names. When accessing this library from Golang code, these vars are provided to avoid copy-pasta errors
Functions ¶
func GenerateRandomBytes ¶
GenerateRandomBytes generates the requested number of ASCII bytes from the hex alphabet. The resulting byte slice should be safe to convert to a printable ascii string.
Note, however, that the entropy of the returned byte array is 16^N instead of 256^N since each returned byte is from the hex alphabet.
func PrepareSSHPrivateKey ¶
PrepareSSHPrivateKey takes the contents of a SSH key and saves them into a temporary file
Types ¶
type SecretKeyJSON ¶
type SecretKeyJSON struct {
Algorithm string `json:"algorithm"`
IV initializationVector `json:"iv"`
Ciphertext ciphertext `json:"ciphertext"`
}
SecretKeyJSON secret json structure thats required to write and read to the encrypted secret file
type SecretName ¶
SecretName represents a secret that a service may want to generate or read. Secrets are placed into groups. Conventionally, the group is the name of the service that generates the secret.
func SecretNameFromString ¶
func SecretNameFromString(spec string) (SecretName, error)
SecretNameFromString returns parses the string according to the chef_secrets convention of using . as a record separator.
func (SecretName) String ¶
func (s SecretName) String() string
type SecretStore ¶
type SecretStore interface {
Initialize() error
SecretsReader
SecretsWriter
}
SecretStore allows you to store and retrieve secret data from a secrets store.
func NewDefaultSecretStore ¶
func NewDefaultSecretStore() (SecretStore, error)
func NewDiskStore ¶
func NewDiskStore(basePath string, uid, gid int) SecretStore
type SecretsReader ¶
type SecretsReader interface {
// NOTE(ssd) 2018-08-20: Exists is here to support idempotent
// service startup. If we move this to a service, we might
// consider making an CreateIfNotExists api and simplifying
// this interface.
Exists(SecretName) (bool, error)
GetSecret(SecretName) ([]byte, error)
}
SecretsReader allows you to retrieve secrets data from a secrets store.
func NewDiskStoreReader ¶
func NewDiskStoreReader(basePath string) SecretsReader
type SecretsWriter ¶
type SecretsWriter interface {
SetSecret(SecretName, []byte) error
}
SecretsWriter allows you to set secrets data from a secrets store.
Source Files