README
¶
Secret service
Secret service provide convenient way of handling credentials. Service uses credential config to store various provided credentials.
Credentials retrieval
Service supports the following form of secret to retrieve credentials:
- URL i.e. mem://secret/localhost.json
- Relative path i.e. localhost.json, in this case based directory will be used to lookup credential resource
- Short name i.e. localhost, in this case based directory will be used to lookup credential resource and .json ext will be added.
- Inline certificates or secrets that does not represent resource location are placed into cred.Config.Data
Base directory can be file or URL, if empty '$HOME/.secret/' is used
service := New(baseDirectory, false)
var secret = "localhost"
service.GetCredentials(secret)
Credentials generation
Service allows for interactive credential generation, in this scenario services asks a user for username and password for supplied secret. Optionally private key path can be supplied for pub key based auth.
privateKeyPath := ""//optional path
secret := "localhost"
service := New(baseDirectory, false)
location, err := service.Create(secret, privateKeyPath)
The following example uses service in the interactive mode, which will try to lookup credential for supplied key, if failed it will ask a user for credential in terminal.
service := New(baseDirectory, true)
config, err := service.GetOrCreate("xxxx")
Secret expansion
Very common case for the application it to take encrypted credential to used wither username or password. For example while running terminal command we may need to provide super user password and sometimes other secret, in one command that we do not want to reveal to final user.
Take the following code as example:
service := New(baseDirectory, true)
secrets := NewSecrets()
{//password expansion
secrets["mysql"] = "~/.secret/mysql.json"
input := "docker run --name db1 -e MYSQL_ROOT_PASSWORD=${mysql.password} -d mysql:tag"
expaned, err := service.Expand(input, secrets)
}
{//username and password expansion
secrets["pg"] = "~/.secret/pg.json"
input := "docker run --name some-postgres -e POSTGRES_PASSWORD=${pg.password} -e POSTGRES_USER=${pg.username} -d postgres"
expaned, err := service.Expand(input, secrets)
}
Secrets represents credentials secret map defined as type Secrets map[SecretKey]Secret
Here are some possible combination of secret map pairs.
{
"git": "${env.HOME}/.secret/git.json",
"github.com": "${env.HOME}/.secret/github.json",
"github.private.com": "${env.HOME}/.secret/github-private.json",
"**replace**": "${env.HOME}/.secret/git.json"
}
The secret key can be static or dynamic. The first type in input/command is enclosed with either '*' or '#', the later is not.
In the command corresponding dynamic key can be enclosed with the following
- '${secretKey.password}' for password expansion i.e. command: ${git.password} will expand to password from git secret key
- '**' for password expansion i.e. command:
**git**will expand to password from git secret key - '${secretKey.username}' for username expansion i.e. command: ${git.username} will expand to username from git secret key
- '##' for username expansion i.e. command:
##git##will expand to username from git secret key
Documentation
¶
Index ¶
- Variables
- type Secret
- type SecretKey
- type Secrets
- type Service
- func (s *Service) Create(name, privateKeyPath string) (string, error)
- func (s *Service) CredentialsFromLocation(secret string) (*cred.Config, error)
- func (s *Service) CredentialsLocation(secret string) (string, error)
- func (s *Service) Expand(input string, credentials map[SecretKey]Secret) (string, error)
- func (s *Service) GetCredentials(secret string) (*cred.Config, error)
- func (s *Service) GetOrCreate(secret string) (*cred.Config, error)
Constants ¶
This section is empty.
Variables ¶
var ReadUserAndPassword = func(timeout time.Duration) (user string, pass string, err error) { completed := make(chan bool) var reader = func() { defer func() { completed <- true }() var bytePassword, bytePassword2 []byte reader := bufio.NewReader(os.Stdin) fmt.Print("Enter Username: ") user, _ = reader.ReadString('\n') fmt.Print("Enter Password: ") bytePassword, err = terminal.ReadPassword(int(syscall.Stdin)) if err != nil { err = fmt.Errorf("failed to read password %v", err) return } fmt.Print("\nRetype Password: ") bytePassword2, err = terminal.ReadPassword(int(syscall.Stdin)) if err != nil { err = fmt.Errorf("failed to read password %v", err) return } password := string(bytePassword) if string(bytePassword2) != password { err = errors.New("password did not match") } } go reader() select { case <-completed: case <-time.After(timeout): err = fmt.Errorf("reading credential timeout") } user = strings.TrimSpace(user) pass = strings.TrimSpace(pass) return user, pass, err }
var ReadingCredentialTimeout = time.Second * 45
ReadingCredentialTimeout represents max time for providing CredentialsFromLocation
Functions ¶
This section is empty.
Types ¶
type Secret ¶
type Secret string
Secret represents a secret
func (Secret) IsLocation ¶
IsLocation returns true if secret is a location
type SecretKey ¶
type SecretKey string
* SecretKey represent secret key Take the following secrets as example: <pre>
"secrets": {
"git": "${env.HOME}/.secret/git.json",
"github.com": "${env.HOME}/.secret/github.json",
"github.private.com": "${env.HOME}/.secret/github-private.json",
"**replace**": "${env.HOME}/.secret/git.json",
}
</pre>
The secret key can be static or dynamic. The first type is already enclosed with '*' or '#', the later is not.
In the command corresponding dynamic key can be enclosed with the following '**' for password expansion i.e. command: **git** will expand to password from git secret key '##' for username expansion i.e. command: ##git## will expand to username from git secret key
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
represents a secret service
func (*Service) CredentialsFromLocation ¶
Credentials returns credential config for supplied location.
func (*Service) CredentialsLocation ¶
func (*Service) GetCredentials ¶
Credentials returns credential config
Source Files