secrets

package
v11.1.4-modfix Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 20, 2024 License: AGPL-3.0 Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrDataKeyNotFound = errors.New("data key not found")

Functions

func KeyLabel

func KeyLabel(scope string, providerID ProviderID) string

Types

type BackgroundProvider

type BackgroundProvider interface {
	Run(ctx context.Context) error
}

BackgroundProvider should be implemented for a provider that has a task that needs to be run in the background.

type DataKey

type DataKey struct {
	Active        bool
	Id            string `xorm:"name"` // renaming the col in the db itself would break backward compatibility with 8.5.x
	Label         string
	Scope         string
	Provider      ProviderID
	EncryptedData []byte
	Created       time.Time
	Updated       time.Time
}

type EncryptionOptions

type EncryptionOptions func() string

func WithScope

func WithScope(scope string) EncryptionOptions

WithScope uses a data key for encryption bound to some specific scope (i.e., user, org, etc.). Scope should look like "user:10", "org:1".

func WithoutScope

func WithoutScope() EncryptionOptions

WithoutScope uses a root level data key for encryption (DEK), in other words this DEK is not bound to any specific scope (not attached to any user, org, etc.).

type Migrator

type Migrator interface {
	// ReEncryptSecrets decrypts and re-encrypts the secrets with most recent
	// available data key. If a secret-specific decryption / re-encryption fails,
	// it does not stop, but returns false as the first return (success or not)
	// at the end of the process.
	ReEncryptSecrets(ctx context.Context) (bool, error)
	// RollBackSecrets decrypts and re-encrypts the secrets using the legacy
	// encryption. If a secret-specific decryption / re-encryption fails, it
	// does not stop, but returns false as the first return (success or not)
	// at the end of the process.
	RollBackSecrets(ctx context.Context) (bool, error)
}

Migrator is responsible for secrets migrations like re-encrypting or rolling back secrets.

type Provider

type Provider interface {
	Encrypt(ctx context.Context, blob []byte) ([]byte, error)
	Decrypt(ctx context.Context, blob []byte) ([]byte, error)
}

Provider is a key encryption key provider for envelope encryption

type ProviderID

type ProviderID string

func (ProviderID) Kind

func (id ProviderID) Kind() (string, error)

type Service

type Service interface {
	// Encrypt MUST NOT be used within database transactions, it may cause database locks.
	// For those specific use cases where the encryption operation cannot be moved outside
	// the database transaction, look at database-specific methods present at the specific
	// implementation present at manager.SecretsService.
	Encrypt(ctx context.Context, payload []byte, opt EncryptionOptions) ([]byte, error)
	Decrypt(ctx context.Context, payload []byte) ([]byte, error)

	// EncryptJsonData MUST NOT be used within database transactions.
	// Look at Encrypt method comment for further details.
	EncryptJsonData(ctx context.Context, kv map[string]string, opt EncryptionOptions) (map[string][]byte, error)
	DecryptJsonData(ctx context.Context, sjd map[string][]byte) (map[string]string, error)

	GetDecryptedValue(ctx context.Context, sjd map[string][]byte, key, fallback string) string

	RotateDataKeys(ctx context.Context) error
	ReEncryptDataKeys(ctx context.Context) error
}

Service is an envelope encryption service in charge of encrypting/decrypting secrets. It is a replacement for encryption.Service

For all encrypted secrets stored in the database, a migrator is needed to re-encrypt the secrets every time the encryption key has been rotated. Please add your database secrets to the migrator slice available in ./migrator/migrator.go.

type Store

type Store interface {
	GetDataKey(ctx context.Context, id string) (*DataKey, error)
	GetCurrentDataKey(ctx context.Context, label string) (*DataKey, error)
	GetAllDataKeys(ctx context.Context) ([]*DataKey, error)
	CreateDataKey(ctx context.Context, dataKey *DataKey) error
	DisableDataKeys(ctx context.Context) error
	DeleteDataKey(ctx context.Context, id string) error
	ReEncryptDataKeys(ctx context.Context, providers map[ProviderID]Provider, currProvider ProviderID) error
}

Store defines methods to interact with secrets storage

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL