secrets

package
v0.0.0-...-ee8abc8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 23, 2022 License: MIT Imports: 24 Imported by: 0

Documentation

Overview

Package secrets is a helper I use to store my secrets for use with my dotfiles but in such a way as that I don't store the secrets in the dotfiles.

All secrets are kept in a Keeper. This is a simple abstraction around a key/value store. From there, I have four major keepers that I use:

  1. The master password Keeper is an in memory Keeper that allows me to store and retreive master passwords for the other secure Keepers. This runs as a service available only to the local machine.
  1. The local insecure password Keeper is used to store secrets that need no special protections. These are stored similar to a netrc setup (but not using netrc).
  1. The local secure password Keeper is a Keepass database, which replicates my remote secure password Keeper. This is also a backup I use in case LastPass decides to stop granting me access to my own data.
  1. The remote secure password Keeper is a LastPass database that is sync'd with my other devices automtically. This contains both secure and insecre secrets.

Index

Constants

View Source 
const (
	ZostayHighSecurityGroup = "Robot"    // category name for high-security managed secrets
	ZostayLowSecurityGroup  = "Insecure" // category name for low-security managed secrets

	KeepassMasterKey        = "KEEPASS-MASTER-sterling" // the key to the master password for Keepass
	LastPassMasterKeyPrefix = "LASTPASS-MASTER-"        // the key to the master password for LastPass (minus username)
	LastPassEnvFile         = ".zshrc.local"            // where to find the LPASS_USERNAME
	LastPassUserEnvKey      = "LPASS_USERNAME"          // environment file key with LastPass username set

	ZostayKeepassFile = ".zostay.kdbx" // name of my keepass file

	ZostayLowSecuritySecretsFile = ".secrets.yaml" // where to store low security secrets
)
View Source 
const (
	MySecretKeeper = "127.0.0.1:10109" // available to apps running on the local host
)

Variables

View Source 
var (
	ZostayKeepassPath string // path to my keepass file

	ZostayLowSecuritySecretsPath string // the path to the low secrutiy secrets

	LastPassUsername string // the lastpass username
)
View Source 
var (
	ErrNotFound = errors.New("secret not found") // error returned by a secrets.Keeper when a secret is not found
)

Functions

func GetMasterPassword 

func GetMasterPassword(which, name string) (string, error)

GetMasterPassword checks to see if the named master password is stored and available for retrieval. It returns it if it is. If it is not, it will popup a dialog box prompting the user to enter it.

func MustGet 

func MustGet(keeper func() (Keeper, error), name string) string

MustGet is a helper to allow you to quickly get a secret from a keeper.

func PinEntry 

func PinEntry(title, desc, prompt, ok string) (string, error)

PinEntry is a tool that makes it easier to display a dialog prompting the user for a password.

func SetMasterPassword 

func SetMasterPassword(name, secret string) error

SetMasterPassword sets the named master password.

Types

type Cacher 

type Cacher struct {
	// contains filtered or unexported fields
}

Cacher is a dual component secret Keeper that attempts to keep both of the keepers present in sync. One Keeper is treated as the source of truth and the other is the target for more truth.

func NewCacher 

func NewCacher(src, target Keeper, timeout time.Duration) *Cacher

NewCacher constructs a Cacher Keeper from the given source and target Keepers.

func (*Cacher) GetSecret 

func (c *Cacher) GetSecret(name string) (*Secret, error)

GetSecret retrieves the requested secret from the target Keeper. If it is not found on the target, it retreives it from the source. An error is returned if this retrieval fails (including failure of ErrNotFound). Hoewver, if the get succeeds, the target is updated to set the secret in the target Keeper.

If the secret is retreived from the target and the target has a non-zero LastModified time, that time is checked to see if it's older than the timeout configured during construction. If it is, the secret is retrieved from source anyway to resync.

If the initial get from the target results in an error other than ErrNotFound, that error is returned with no other action having been performed.

If the initial get from the target succeeds, the result is returned immediately.

func (*Cacher) RemoveSecret 

func (c *Cacher) RemoveSecret(name string) error

RemoveSecret is a no-op. Don't call it. Always returns an error.

func (*Cacher) SetSecret 

func (c *Cacher) SetSecret(secret *Secret) error

SetSecret sets the secret in both the source and target Keepers.

type EntryGroup 

type EntryGroup struct {
	Group *keepass.Group
	Entry *keepass.Entry
}

EntryGroup groups an entry with it's group during a walk.

type GetSecretResponse 

type GetSecretResponse struct {
	Err    string
	Secret string
}

GetSecretResponse is the response expected from GET requests to the Keeper HTTP server.

type Http 

type Http struct {
	// contains filtered or unexported fields
}

Http is a Keeper that interacts with the zostay-secrets keeper server to retrieve secrets.

func NewHttp 

func NewHttp() *Http

NewHttp creates a new Http Keeper.

func (*Http) GetSecret 

func (h *Http) GetSecret(name string) (*Secret, error)

GetSecret contacts the HTTP server secret Keeper with the name of the secret to retrieve. If there is an error contacting the server, reading the response from the server, or the server returns an error in the response, an error is returned. Otherwise, the secret is returned.

func (*Http) Ping 

func (h *Http) Ping(ctx context.Context) error

Ping performs a ping request on the server and confirms that the answer from the server is as expected. On success, returns nil. On failure, returns an error.

func (*Http) RemoveSecret 

func (h *Http) RemoveSecret(name string) error

func (*Http) SetSecret 

func (h *Http) SetSecret(secret *Secret) error

SetSecret sends the given name and secret value to the HTTP secret server for storage. If there is an error formatting the message, contacting the server, reading the response from the server, or the server returned an error in the response, an error will be returned.

On success, this function returns nil.

type Internal 

type Internal struct {
	// contains filtered or unexported fields
}

Internal is a Keeper that stores secrets in memory.

func MustNewInternal 

func MustNewInternal() *Internal

MustNewInternal calls NewInternal and panics if it returns an error.

func NewInternal 

func NewInternal() (*Internal, error)

NewInternal constructs a new secret memory store.

func (*Internal) GetSecret 

func (i *Internal) GetSecret(name string) (*Secret, error)

GetSecret retrieves the named secret from the internal memory store.

func (*Internal) RemoveSecret 

func (i *Internal) RemoveSecret(name string) error

RemoveSecret removes the named secret from the store.

func (*Internal) SetSecret 

func (i *Internal) SetSecret(secret *Secret) error

SetSecret saves the named secret to the given value in the internal memory store.

type Keepass 

type Keepass struct {
	fssafe.LoaderSaver
	// contains filtered or unexported fields
}

Keepass is a Keeper with access to a Keepass password database.

func NewKeepass 

func NewKeepass(path, master, group string) (*Keepass, error)

NewKeepass creates a new Keepass Keeper and returns it. If no database exists yet, it will create an empty one. It returns an error if there's a problem reading the Keepass database.

func (*Keepass) GetSecret 

func (k *Keepass) GetSecret(name string) (*Secret, error)

GetSecret retrieves the named secret from the Keepass database.

func (*Keepass) RemoveSecret 

func (k *Keepass) RemoveSecret(name string) error

RemoveSecret removes the named secret from the Keepass database and saves the change.

func (*Keepass) SetSecret 

func (k *Keepass) SetSecret(secret *Secret) error

SetSecret sets the given secret in the ZostayRobotGroup, creating that group if it does not yet exist.

func (*Keepass) Walker 

func (k *Keepass) Walker() *KeepassWalker

Walker creates an iterator for walking through the Keepass database records.

type KeepassWalker 

type KeepassWalker struct {
	// contains filtered or unexported fields
}

KeepassWalker represents a tool for walking Keepass records.

func (*KeepassWalker) Entry 

func (w *KeepassWalker) Entry() *EntryGroup

Entry retrieves the current entry to inspect during iteration.

func (*KeepassWalker) Next 

func (w *KeepassWalker) Next() bool

Next returns the next record for iteration.

type Keeper 

type Keeper interface {
	// GetSecret should return the secret with the given name. If it makes a
	// difference to the storage mechanism, the storage should prefer secrets
	// found in the category named by ZostayRobotGroup.
	//
	// On success, return the secret string and no error.
	//
	// When the secret is not found, return an empty string and ErrNotFound.
	//
	// When their is an error with the secret store, return an empty string and
	// an error.
	GetSecret(name string) (*Secret, error)

	// SetSecret stores the secret in the Keeper's store. The two arguments are
	// the name to give the secret and the cleartext secret, resepctively. For
	// stores where it matters, the secret should be stored in the group or
	// category named by ZostayRobotGroup.
	//
	// On success, this method should return nil.
	//
	// If there is a problem storing the secret, this method should return an error.
	SetSecret(secret *Secret) error

	// RemoveSecret removes the named secret from the Keeper's store.
	//
	// On success, this method should return nil.
	//
	// If there is a problem deleting the secret, this method should return an
	// error.
	RemoveSecret(name string) error
}

Keeper is the interface that all secret keepers follow.

func Insecure 

func Insecure() (Keeper, error)

Insecure returns my caching secret keeper for insecure secrets.

func InsecureLocal 

func InsecureLocal() (Keeper, error)

InsecureLocal returns the Keeper for local insecure secrets.

func InsecureMain 

func InsecureMain() (Keeper, error)

InsecureMain returns my primary secret Keeper for storing insecure secrets.

func Master 

func Master() (Keeper, error)

Master returns the client Keeper to reach the master secret Keeper.

func Secure 

func Secure() (Keeper, error)

Secure returns my caching secret keeper for secure secrets.

func SecureLocal 

func SecureLocal() (Keeper, error)

SecureLocal returns the Keeper for local secure secrets.

func SecureMain 

func SecureMain() (Keeper, error)

SecureMain returns my primary secret Keeper for stroing secure secrets.

type Keyring 

type Keyring struct {
	// contains filtered or unexported fields
}

Keyring is a Keeper that allows the user to get and set secrets in the system keyring identified by SecretServiceName.

func NewKeyring 

func NewKeyring(ssn string) *Keyring

NewKeyring constructs a new secret Keeper that can talkt ot he system keyring tools. You must specify a service name to identify the application with.

func (*Keyring) GetSecret 

func (k *Keyring) GetSecret(name string) (*Secret, error)

GetSecret retrieves the named secret from the system keyring.

func (*Keyring) RemoveSecret 

func (k *Keyring) RemoveSecret(name string) error

RemoveSecret deletes the named secret.

func (*Keyring) SetSecret 

func (k *Keyring) SetSecret(secret *Secret) error

SetSecret sets the named secret to the given value in the system keyring.

type LastPass 

type LastPass struct {
	// contains filtered or unexported fields
}

LastPass is a secret Keeper that gets secrets from the LastPass password manager service.

func NewLastPass 

func NewLastPass(cat, u, p string, limit bool) (*LastPass, error)

NewLastPass constructs and returns a new LastPass Keeper or returns an error if there was a problem during construction.

The cat argument sets the name of the group to use when setting secrets. If the limit parameter is true, then getting a secret will be limited to secrets in the group named by cat.

func (*LastPass) GetSecret 

func (l *LastPass) GetSecret(name string) (*Secret, error)

GetSecret returns the secret from the Lastpass service.

func (*LastPass) RemoveSecret 

func (l *LastPass) RemoveSecret(name string) error

RemoveSecret removes the secret from the LastPass service.

func (*LastPass) SetSecret 

func (l *LastPass) SetSecret(secret *Secret) error

SetSecret sets the secret into the LastPass service.

type LocumTenens 

type LocumTenens struct {
	// contains filtered or unexported fields
}

LocumTenens is a Keeper that stands in the place of others. It wraps zero or more other Keepers. Secrets gotten from it will return the first secret found. Secrets stored to it will store in the first Keeper that does not return an error when storing the secret.

func NewLocumTenens 

func NewLocumTenens() *LocumTenens

NewLocumTenens constructs a new LocumTenens. Use AddKeeper to add Keepers inside before using it. If you do not, GetSecret will always return ErrNotFound and SetSecret will always fail with an error.

func (*LocumTenens) AddKeeper 

func (l *LocumTenens) AddKeeper(k Keeper)

AddKeeper adds the given Keeper to those wrapped. GetSecret and SetSecret operations will prefer Keepers added first.

func (*LocumTenens) GetSecret 

func (l *LocumTenens) GetSecret(name string) (*Secret, error)

GetSecret returns the first secret found by querying each wrapped Keeper. If no keepers are wrapped or the secret is found in none of them, it returns ErrNotFound.

func (*LocumTenens) RemoveSecret 

func (l *LocumTenens) RemoveSecret(name string) error

RemoveSecret removes the secret from each keeper.

func (*LocumTenens) SetSecret 

func (l *LocumTenens) SetSecret(secret *Secret) error

SetSecret tries to store the secret in each Keeper in the ordered they were added via calls to AddKeeper. If SetSecret for a keeper returns an error, the next keeper is tried until there's a success. Then the operation quits. If there are zero Keepers or they all return errors, then this returns an error as well.

type LowSecurity 

type LowSecurity struct {
	fssafe.LoaderSaver
}

LowSecurity is a secret Keeper that stores secrets in plain text. There are a few secrets are used in such a way that no additional security is required.

func NewLowSecurity 

func NewLowSecurity(path string) *LowSecurity

NewLowSecurity creates a low security secret store at the given path.

func (*LowSecurity) GetSecret 

func (s *LowSecurity) GetSecret(name string) (*Secret, error)

GetSecret retrieves the named secret.

func (*LowSecurity) RemoveSecret 

func (s *LowSecurity) RemoveSecret(name string) error

func (*LowSecurity) SetSecret 

func (s *LowSecurity) SetSecret(secret *Secret) error

SetSecret saves the named secret.

type Secret 

type Secret struct {
	Name  string // the name given to the secret
	Value string // the secret/password/key associated with the secret

	Username     string    // the username associated with the secret
	LastModified time.Time // time the secret was last modified (may be time.Time{} if that's not known)
	Group        string    // the group the secret is in (if any)
}

Secret represents an individual secret stored. This may contain some amount of metadata in addition to the secret name and value.

type SetSecretRequest 

type SetSecretRequest struct {
	Name   string
	Secret string
}

SetSecretRequest is the structure of requests to the HTTP secret Keeper server.

type SetSecretResponse 

type SetSecretResponse struct {
	Err string
}

SetSecretResponse is the structure of responess from the HTTP secret Keeper server.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.