secrets

package
v0.0.0-...-5a7b0e6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 27, 2024 License: Apache-2.0 Imports: 15 Imported by: 4

Documentation

Overview

The secrets package provides methods for generate, storing, and retrieving secrets data.

Eventually, we hope to replace the file-system based code in here with code that makes use of a service (secrets-service) or Habitat.

Index

Constants

View Source
const (
	// DefaultDiskStoreDataDir is the default directory that we will use when
	// instantiating our disk-based data store. We allow overriding this
	// for local testing.
	DefaultDiskStoreDataDir = "/hab/svc/deployment-service/data/shared"
	// DefaultDiskStoreDataOwner is the user who should own all
	// files and directories in the disk store.
	//
	// TODO(ssd) 2018-08-20: This is unsafe currently because all of our
	// services run as the same user. In Chef Server, we have root own the
	// secrets store, read the secrets as root, and then drop privs when
	// we exec the command.
	DefaultDiskStoreDataOwner = "hab"

	// SecretFileExtension is the extension name for the encrypted secrets file
	SecretFileExtension = ".enc"
)

Variables

View Source
var BifrostSuperuserIDName = SecretName{
	Group: "oc_bifrost",
	Name:  "superuser_id",
}

Commonly used secrets names. When accessing this library from Golang code, these vars are provided to avoid copy-pasta errors

Functions

func GenerateRandomBytes

func GenerateRandomBytes(userProvidedLength int) ([]byte, error)

GenerateRandomBytes generates the requested number of ASCII bytes from the hex alphabet. The resulting byte slice should be safe to convert to a printable ascii string.

Note, however, that the entropy of the returned byte array is 16^N instead of 256^N since each returned byte is from the hex alphabet.

func PrepareSSHPrivateKey

func PrepareSSHPrivateKey(keyContent string) (string, error)

PrepareSSHPrivateKey takes the contents of a SSH key and saves them into a temporary file

Types

type SecretKeyJSON

type SecretKeyJSON struct {
	Algorithm  string               `json:"algorithm"`
	IV         initializationVector `json:"iv"`
	Ciphertext ciphertext           `json:"ciphertext"`
}

SecretKeyJSON secret json structure thats required to write and read to the encrypted secret file

type SecretName

type SecretName struct {
	Group string
	Name  string
}

SecretName represents a secret that a service may want to generate or read. Secrets are placed into groups. Conventionally, the group is the name of the service that generates the secret.

func SecretNameFromString

func SecretNameFromString(spec string) (SecretName, error)

SecretNameFromString returns parses the string according to the chef_secrets convention of using . as a record separator.

func (SecretName) String

func (s SecretName) String() string

type SecretStore

type SecretStore interface {
	Initialize() error
	SecretsReader
	SecretsWriter
}

SecretStore allows you to store and retrieve secret data from a secrets store.

func NewDefaultSecretStore

func NewDefaultSecretStore() (SecretStore, error)

func NewDiskStore

func NewDiskStore(basePath string, uid, gid int) SecretStore

type SecretsReader

type SecretsReader interface {
	// NOTE(ssd) 2018-08-20: Exists is here to support idempotent
	// service startup. If we move this to a service, we might
	// consider making an CreateIfNotExists api and simplifying
	// this interface.
	Exists(SecretName) (bool, error)
	GetSecret(SecretName) ([]byte, error)
}

SecretsReader allows you to retrieve secrets data from a secrets store.

func NewDiskStoreReader

func NewDiskStoreReader(basePath string) SecretsReader

type SecretsWriter

type SecretsWriter interface {
	SetSecret(SecretName, []byte) error
}

SecretsWriter allows you to set secrets data from a secrets store.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL