unicreds

package module
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 15, 2015 License: MIT Imports: 19 Imported by: 0

README

unicreds

unicreds is currently a pretty faithful port of credstash to golang. This utility enables secure storage secrets in DynamoDB using KMS to encrypt and sign these Credentials. Access to these keys is controlled using IAM.

setup

  1. Add and configure a KMS key in IAM with the alias credstash, ensure this is created in the correct region as the user interface for this is quite confusing.
  2. Run unicreds setup to create the dynamodb table in your region, ensure you have your credentials configured using the awscli.

usage

usage: unicreds [<flags>] <command> [<args> ...]

A credential/secret storage command line tool.

Flags:
  --help                     Show context-sensitive help (also try --help-long and --help-man).
  --debug                    Enable debug mode.
  --csv                      Enable csv output for table data.
  --alias="alias/credstash"  KMS key alias.
  --version                  Show application version.

Commands:
  help [<command>...]
    Show help.

  setup
    Setup the dynamodb table used to store credentials.

  get <credential>
    Get a credential from the store.

  getall
    Get all credentials from the store.

  list
    List all credentials names and version.

  put <credential> <value> [<version>]
    Put a credential in the store.

  delete <credential>
    Delete a credential from the store.

why

The number one reason for this port is platform support, getting credstash running on Windows and some older versions of Redhat Enterprise is a pain. Golang is fantastic at enabling simple deployment of core tools across a range of platforms with very little friction.

In addition to this we have some ideas about how this tool can be expanded to support some interesting use cases we have internally.

That said we have learnt a lot from how credstash worked and aim to remain compatible with it in the future where possible.

license

This code is Copyright (c) 2015 Versent and released under the MIT license. All rights not explicitly granted in the MIT license are reserved. See the included LICENSE.md file for more details.

Documentation

Index

Constants

View Source
const (
	// TableFormatTerm format the table for a terminal session
	TableFormatTerm = iota // 0
	// TableFormatCSV format the table as CSV
	TableFormatCSV // 1
)
View Source
const (
	// Table the name of the dynamodb table
	Table = "credential-store"

	// KmsKey default KMS key alias name
	KmsKey = "alias/credstash"
)

Variables

View Source
var (

	// ErrSecretNotFound returned when unable to find the specified secret in dynamodb
	ErrSecretNotFound = errors.New("Secret Not Found")

	// ErrHmacValidationFailed returned when the hmac signature validation fails
	ErrHmacValidationFailed = errors.New("Secret HMAC validation failed")

	// ErrTimeout timeout occured waiting for dynamodb table to create
	ErrTimeout = errors.New("Timed out waiting for dynamodb table to become active")
)

Functions

func ComputeHmac256

func ComputeHmac256(message, secret []byte) string

ComputeHmac256 compute a hmac256 signature of the supplied message and return the value hex encoded

func Decode

func Decode(data map[string]*dynamodb.AttributeValue, rawVal interface{}) error

Decode decode the supplied struct from the dynamodb result map

func Decrypt

func Decrypt(key, ciphertext []byte) ([]byte, error)

Decrypt AES encryption method which matches the pycrypto package using CTR and AES256. Note this routine seeds the counter/iv with a value of 1 then throws it away?!

func DeleteSecret

func DeleteSecret(name string) error

DeleteSecret delete a secret

func Encode

func Encode(rawVal interface{}) (map[string]*dynamodb.AttributeValue, error)

Encode return the value encoded as a map of dynamo attributes.

func Encrypt

func Encrypt(key, plaintext []byte) ([]byte, error)

Encrypt AES encryption method which matches the pycrypto package using CTR and AES256. Note this routine seeds the counter/iv with a value of 1 then throws it away?!

func PutSecret

func PutSecret(name, secret, version string) error

PutSecret retrieve the secret from dynamodb

func SetDynamoDBConfig added in v1.0.2

func SetDynamoDBConfig(config *aws.Config)

SetDynamoDBConfig override the default aws configuration

func SetKMSConfig added in v1.0.2

func SetKMSConfig(config *aws.Config)

SetKMSConfig override the default aws configuration

func Setup

func Setup() (err error)

Setup create the table which stores credentials

Types

type Credential

type Credential struct {
	Name     string `ds:"name"`
	Version  string `ds:"version"`
	Key      string `ds:"key"`
	Contents string `ds:"contents"`
	Hmac     string `ds:"hmac"`
}

Credential managed credential information

type DataKey

type DataKey struct {
	CiphertextBlob []byte
	Plaintext      []byte
}

DataKey which contains the details of the KMS key

func DecryptDataKey

func DecryptDataKey(ciphertext []byte) (*DataKey, error)

DecryptDataKey ask kms to decrypt the supplied data key

func GenerateDataKey

func GenerateDataKey(alias string, size int) (*DataKey, error)

GenerateDataKey simplified method for generating a datakey with kms

type DecryptedCredential

type DecryptedCredential struct {
	*Credential
	Secret string
}

DecryptedCredential managed credential information

func GetSecret

func GetSecret(name string) (*DecryptedCredential, error)

GetSecret retrieve the secret from dynamodb using the name

func ListSecrets

func ListSecrets() ([]*DecryptedCredential, error)

ListSecrets return a list of secrets

type TableWriter

type TableWriter struct {
	// contains filtered or unexported fields
}

TableWriter enables writing of tables in a variety of formats

func NewTable

func NewTable(wr io.Writer) *TableWriter

NewTable create a new table writer

func (*TableWriter) BulkWrite

func (tw *TableWriter) BulkWrite(rows [][]string)

BulkWrite append an array of rows to the buffer

func (*TableWriter) Render

func (tw *TableWriter) Render() error

Render render the table out to the supplied writer

func (*TableWriter) SetFormat

func (tw *TableWriter) SetFormat(tableFormat int)

SetFormat set the format

func (*TableWriter) SetHeaders

func (tw *TableWriter) SetHeaders(headers []string)

SetHeaders set the column headers

func (*TableWriter) Write

func (tw *TableWriter) Write(row []string)

Directories

Path Synopsis
cmd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL