secrets

package
v0.0.85-test Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 8, 2023 License: AGPL-3.0 Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrDataKeyNotFound = errors.New("data key not found")

Functions

This section is empty.

Types

type BackgroundProvider

type BackgroundProvider interface {
	Run(ctx context.Context) error
}

BackgroundProvider should be implemented for a provider that has a task that needs to be run in the background.

type DataKey

type DataKey struct {
	Active        bool
	Name          string
	Scope         string
	Provider      ProviderID
	EncryptedData []byte
	Created       time.Time
	Updated       time.Time
}

type EncryptionOptions

type EncryptionOptions func() string

func WithScope

func WithScope(scope string) EncryptionOptions

WithScope uses a data key for encryption bound to some specific scope (i.e., user, org, etc.). Scope should look like "user:10", "org:1".

func WithoutScope

func WithoutScope() EncryptionOptions

WithoutScope uses a root level data key for encryption (DEK), in other words this DEK is not bound to any specific scope (not attached to any user, org, etc.).

type Provider

type Provider interface {
	Encrypt(ctx context.Context, blob []byte) ([]byte, error)
	Decrypt(ctx context.Context, blob []byte) ([]byte, error)
}

Provider is a key encryption key provider for envelope encryption

type ProviderID

type ProviderID string

func (ProviderID) Kind

func (id ProviderID) Kind() (string, error)

type Service

type Service interface {
	// Encrypt MUST NOT be used within database transactions, it may cause database locks.
	// For those specific use cases where the encryption operation cannot be moved outside
	// the database transaction, look at database-specific methods present at the specific
	// implementation present at manager.SecretsService.
	Encrypt(ctx context.Context, payload []byte, opt EncryptionOptions) ([]byte, error)
	Decrypt(ctx context.Context, payload []byte) ([]byte, error)

	// EncryptJsonData MUST NOT be used within database transactions.
	// Look at Encrypt method comment for further details.
	EncryptJsonData(ctx context.Context, kv map[string]string, opt EncryptionOptions) (map[string][]byte, error)
	DecryptJsonData(ctx context.Context, sjd map[string][]byte) (map[string]string, error)

	GetDecryptedValue(ctx context.Context, sjd map[string][]byte, key, fallback string) string

	ReEncryptDataKeys(ctx context.Context) error
}

Service is an envelope encryption service in charge of encrypting/decrypting secrets. It is a replacement for encryption.Service

type Store

type Store interface {
	GetDataKey(ctx context.Context, name string) (*DataKey, error)
	GetAllDataKeys(ctx context.Context) ([]*DataKey, error)
	CreateDataKey(ctx context.Context, dataKey DataKey) error
	CreateDataKeyWithDBSession(ctx context.Context, dataKey DataKey, sess *xorm.Session) error
	DeleteDataKey(ctx context.Context, name string) error
	ReEncryptDataKeys(ctx context.Context, providers map[ProviderID]Provider, currProvider ProviderID) error
}

Store defines methods to interact with secrets storage

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL