secrets

package
v0.0.0-...-bde19ca Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 28, 2020 License: BSD-3-Clause Imports: 9 Imported by: 0

Documentation

Overview

Package secrets provides the functionality to access secrets from Vault by reading them out of a JSON file with automatic refresh on change.

Store should be used to instantiate and configure the secret fetcher.

Index

Constants

This section is empty.

Variables

View Source 
var ErrInvalidEncoding = errors.New("secrets: invalid encoding, expected identity, base64 or empty")

ErrInvalidEncoding is the error returned by the parser when we got an invalid encoding in the secrets.json file.

Functions

This section is empty.

Types

type CredentialSecret 

type CredentialSecret struct {
	Username string
	Password string
}

CredentialSecret represent represent username/password pairs as a single secret in vault. Note that usernames are not generally considered secret, but they are tied to passwords.

type Document 

type Document struct {
	Secrets map[string]GenericSecret `json:"secrets"`
	Vault   Vault                    `json:"vault"`
}

Document represents the raw parsed entity of a Secrets JSON and is not meant to be used other than instantiating Secrets.

func (*Document) Validate 

func (s *Document) Validate() error

Validate checks the Document for any errors that violate the Baseplate specification.

When this function returns a non-nil error, the error is either a TooManyFieldsError, or a BatchError containing multiple TooManyFieldsError.

type GenericSecret 

type GenericSecret struct {
	Type     string   `json:"type"`
	Value    string   `json:"value"`
	Encoding encoding `json:"encoding"`

	Current  string `json:"current"`
	Previous string `json:"previous"`
	Next     string `json:"next"`

	Username string `json:"username"`
	Password string `json:"password"`
}

GenericSecret is a placeholder to fit all types of secrets when parsing the Secret JSON before processing them into their more typed equivalents.

type Secret 

type Secret []byte

A Secret is the base type of secrets.

func (Secret) IsEmpty 

func (s Secret) IsEmpty() bool

IsEmpty returns true if the secret is empty.

type SecretHandlerFunc 

type SecretHandlerFunc func(sec *Secrets)

SecretHandlerFunc is the actual function that works with the Secrets

type SecretMiddleware 

type SecretMiddleware func(next SecretHandlerFunc) SecretHandlerFunc

SecretMiddleware creates chain of SecretHandlerFunc calls

type SecretNotFoundError 

type SecretNotFoundError string

SecretNotFoundError is returned when the key for a secret is not present in the secret store.

func (SecretNotFoundError) Error 

func (path SecretNotFoundError) Error() string

type Secrets 

type Secrets struct {
	// contains filtered or unexported fields
}

Secrets allows to access secrets based on their different type.

func NewSecrets 

func NewSecrets(r io.Reader) (*Secrets, error)

NewSecrets parses and validates the secret JSON provided by the reader.

func (*Secrets) GetCredentialSecret 

func (s *Secrets) GetCredentialSecret(path string) (CredentialSecret, error)

GetCredentialSecret fetches a credential secret or error if the key is not present.

func (*Secrets) GetSimpleSecret 

func (s *Secrets) GetSimpleSecret(path string) (SimpleSecret, error)

GetSimpleSecret fetches a simple secret or error if the key is not present.

func (*Secrets) GetVersionedSecret 

func (s *Secrets) GetVersionedSecret(path string) (VersionedSecret, error)

GetVersionedSecret fetches a versioned secret or error if the key is not present.

type SimpleSecret 

type SimpleSecret struct {
	Value Secret
}

SimpleSecret represent basic secrets.

type Store 

type Store struct {
	// contains filtered or unexported fields
}

Store gives access to secret tokens with automatic refresh on change.

This local vault allows access to the secrets cached on disk by the fetcher daemon. It will automatically reload the cache when it is changed. Do not cache or store the values returned by this class's methods but rather get them from this class each time you need them. The secrets are served from memory so there's little performance impact to doing so and you will be sure to always have the current version in the face of key rotation etc.

func NewStore 

func NewStore(ctx context.Context, path string, logger log.Wrapper, middlewares ...SecretMiddleware) (*Store, error)

NewStore returns a new instance of Store by configuring it with a filewatcher to watch the file in path for changes ensuring secrets store will always return up to date secrets.

Context should come with a timeout otherwise this might block forever, i.e. if the path never becomes available.

func (*Store) AddMiddlewares 

func (s *Store) AddMiddlewares(middlewares ...SecretMiddleware)

AddMiddlewares registers new middlewares to the store.

Every AddMiddlewares call will cause all already registered middlewares to be called again with the latest data.

AddMiddlewares call is not thread-safe, it should not be called concurrently.

func (*Store) Close 

func (s *Store) Close()

Close closes the underlying filewatcher and release associated resources.

After Close is called, you won't get any updates to the secret file, but can still access the secrets as they were before Close is called.

It's OK to call Close multiple times. Calls after the first one are no-ops.

func (Store) GetCredentialSecret 

func (s Store) GetCredentialSecret(path string) (CredentialSecret, error)

GetCredentialSecret loads secrets from watcher, and fetches a credential secret from secrets

func (Store) GetSimpleSecret 

func (s Store) GetSimpleSecret(path string) (SimpleSecret, error)

GetSimpleSecret loads secrets from watcher, and fetches a simple secret from secrets

func (Store) GetVault 

func (s Store) GetVault() (Vault, error)

GetVault returns a struct with a URL and token to access Vault directly. The token will have policies attached based on the current EC2 server's Vault role. This is only necessary if talking directly to Vault.

This function always returns nil error.

func (Store) GetVersionedSecret 

func (s Store) GetVersionedSecret(path string) (VersionedSecret, error)

GetVersionedSecret loads secrets from watcher, and fetches a versioned secret from secrets

type TooManyFieldsError 

type TooManyFieldsError struct {
	Key        string
	SecretType string
}

TooManyFieldsError is a type of errors could be returned by Document.Validate.

Note that Document.Validate could also return a BatchError containing multiple TooManyFieldsError.

func (TooManyFieldsError) Error 

func (e TooManyFieldsError) Error() string

type Vault 

type Vault struct {
	URL   string `json:"url"`
	Token string `json:"token"`
}

Vault provides authentication credentials so that applications can directly connect to Vault for more complicated use cases.

type VersionedSecret 

type VersionedSecret struct {
	Current  Secret
	Previous Secret
	Next     Secret
}

VersionedSecret represent secrets like signing keys that can be rotated gracefully.

The current property contains the active version of a secret. This should be used for any actions that generate new cryptographic data (e.g. signing a token).

The previous and next fields contain old and not-yet-active versions of the secret respectively. These MAY be used by applications to give a grace period for cryptographic tokens generated during a rotation, but SHOULD NOT be used to generate new cryptographic tokens.

func (*VersionedSecret) GetAll 

func (v *VersionedSecret) GetAll() []Secret

GetAll returns all versions that are not empty in the following order: current, previous, next.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.