secrets

package module
v0.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2026 License: MIT Imports: 31 Imported by: 14

Documentation

Index

Constants

View Source 
const (
	CredentialSchema = `` /* 276-byte string literal not displayed */

	ApiKeySchema = `` /* 212-byte string literal not displayed */

	AWSCredentialSchema = `` /* 349-byte string literal not displayed */

	OauthCredentialSchema = `` /* 290-byte string literal not displayed */

	DatabaseCredentialSchema = `` /* 315-byte string literal not displayed */

	Oauth2TokenSchema = `` /* 500-byte string literal not displayed */

	CryptoKeySchema = `` /* 211-byte string literal not displayed */

)

Variables

This section is empty.

Functions

func MakeRenewalLogger 

func MakeRenewalLogger(cm ClientManager, log log.LeveledLogger, terminator func()) service.RunnerFunc

MakeRenewalLogger subscribes to a ClientManager notification channel and logs those to the logger. If a critical credential fails the terminator callback will be called which should shut down the application in an orderly fashion.

Types

type AAD 

type AAD struct {
	Key   string
	Value any
}

AAD holds additional authenticated data for AEAD ciphers

func (AAD) String 

func (a AAD) String() string

type AWSCredential 

type AWSCredential struct {
	Path            string // Path is used by the CLI framework
	AccessKeyId     string `json:"access_key" mapstructure:"access_key" yaml:"access_key"`
	SecretAccessKey string `json:"secret_key" mapstructure:"secret_key" yaml:"secret_key"`
	SessionToken    string `json:"security_token" mapstructure:"security_token" yaml:"security_token"`
}

type ApiKey 

type ApiKey struct {
	Path string // Path is used by the CLI framework
	Key  string `json:"key" mapstructure:"key" yaml:"key"`
}

func MustGetApiKey 

func MustGetApiKey(c Client, ctx context.Context, path string) *ApiKey

type Client 

type Client interface {
	DatabaseCredential(ctx context.Context, suffix string) (*Credential, Handle, error)
	Secret(ctx context.Context, suffix string, out any) (Handle, error)
	RawSecret(ctx context.Context, path string, out any) (Handle, error)
	AWSIAMUser(ctx context.Context, name string) (*AWSCredential, Handle, error)
	AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error)
	AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error)
	WriteSecret(ctx context.Context, suffix string, out any) error
	Encrypt(ctx context.Context, suffix string, data []byte) (string, error)
	Decrypt(ctx context.Context, suffix, data string) ([]byte, error)
	EncryptAEAD(ctx context.Context, suffix string, data []byte, aad []fmt.Stringer) (string, error)
	DecryptAEAD(ctx context.Context, suffix, data string, aad []fmt.Stringer) ([]byte, error)
	Destroy(Handle) error
	MakeNonCritical(Handle) error
}

Client is the interface that users of secrets returned by a secret back-end should expect. This interface contains only secret related functionality and none of the functions for running the back-end itself. This is separate from the manager functions to make it easier to inject stubs to code that doesn't care about the fact that a manager may exist.

type ClientManager 

type ClientManager interface {
	Client
	Authenticate(context.Context) error
	Notifications() <-chan Renewal
	Run(context.Context, *sync.WaitGroup) error
}

ClientManager is like a Client, and contains a Client, but also contains other runtime functionality for running the secret back-end infrastructure that most consumers of secretes don't care about but the main process runner does.

func NewAutodiscoverVaultClient added in v0.6.0 

func NewAutodiscoverVaultClient(ctx context.Context) (ClientManager, error)

func NewAutodiscoverVaultClientWithDomain added in v0.7.0 

func NewAutodiscoverVaultClientWithDomain(ctx context.Context, hostname string) (ClientManager, error)

func NewConfigFileClient 

func NewConfigFileClient(filesystem fs.FS, name, key string) (ClientManager, error)

NewConfigFileClient creates a new ConfigFileClient by loading a named config file from a filesystem and unmarshalling it. The config file can be in JSON or YAML format, determined by a .json, .yaml, or .yml extension. The configuration must be nested within a key in that file to support sharing the file with other subsystems.

Credentials should be stored in the config file in a format that matches their definitions in client.go

func NewNoopClient 

func NewNoopClient() (ClientManager, error)

func NewVaultClient 

func NewVaultClient(cfg *VaultClientConfig) (ClientManager, error)

NewVaultClient will attempt to create a secrets.Client from the passed config. Config can be nil, in which case an attempt will be made to load the configuration from environment variables. See VaultClientConfig for the expected names of those variables.

type ConfigFileClient 

type ConfigFileClient struct {
	// contains filtered or unexported fields
}

ConfigFileClient returns secrets from a JSON or YAML configuration file. This mode isn't as secure as using Vault or some other secret management service but can be useful for users who don't have access to such a service.

Writes to this secret client will silently succeed while doing nothing.

func (*ConfigFileClient) AWSAssumeRole 

func (c *ConfigFileClient) AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error)

func (*ConfigFileClient) AWSAssumeRoleSimple 

func (c *ConfigFileClient) AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*ConfigFileClient) AWSIAMUser 

func (c *ConfigFileClient) AWSIAMUser(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*ConfigFileClient) Authenticate 

func (c *ConfigFileClient) Authenticate(ctx context.Context) error

func (*ConfigFileClient) DatabaseCredential 

func (c *ConfigFileClient) DatabaseCredential(ctx context.Context, path string) (*Credential, Handle, error)

func (*ConfigFileClient) Decrypt 

func (c *ConfigFileClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error)

func (*ConfigFileClient) DecryptAEAD 

func (c *ConfigFileClient) DecryptAEAD(ctx context.Context, suffix, data string, aad []fmt.Stringer) ([]byte, error)

func (*ConfigFileClient) Destroy 

func (c *ConfigFileClient) Destroy(h Handle) error

func (*ConfigFileClient) Encrypt 

func (c *ConfigFileClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error)

func (*ConfigFileClient) EncryptAEAD 

func (c *ConfigFileClient) EncryptAEAD(ctx context.Context, suffix string, data []byte, aad []fmt.Stringer) (string, error)

func (*ConfigFileClient) MakeNonCritical 

func (c *ConfigFileClient) MakeNonCritical(h Handle) error

func (*ConfigFileClient) Notifications 

func (c *ConfigFileClient) Notifications() <-chan Renewal

func (*ConfigFileClient) RawSecret 

func (c *ConfigFileClient) RawSecret(ctx context.Context, path string, out any) (Handle, error)

func (*ConfigFileClient) Run 

func (c *ConfigFileClient) Run(ctx context.Context, wg *sync.WaitGroup) error

func (*ConfigFileClient) Secret 

func (c *ConfigFileClient) Secret(ctx context.Context, path string, out any) (Handle, error)

func (*ConfigFileClient) WriteSecret 

func (c *ConfigFileClient) WriteSecret(ctx context.Context, path string, in any) error

type ConfigFileHandle 

type ConfigFileHandle struct{}

func (*ConfigFileHandle) Reference 

func (h *ConfigFileHandle) Reference() string

type Credential 

type Credential struct {
	Path     string // Path is used by the CLI framework
	Username string `json:"username" mapstructure:"username" yaml:"username"`
	Password string `json:"password" mapstructure:"password" yaml:"password"`
}

func MustGetCredential 

func MustGetCredential(c Client, ctx context.Context, path string) *Credential

type CryptoKey added in v0.8.0 

type CryptoKey[T crypto.PrivateKey] struct {
	Path string // Path is used by the CLI framework
	Key  string `json:"key" mapstructure:"key" yaml:"key"`
}

CryptoKey is a generic cryptography key that is stored as base64 encoded PKCS8 (DER) format.

This will return a pointer for ed25519 keys. Callers should dereference that pointer to use the key.

func (CryptoKey[T]) PrivateKey added in v0.8.0 

func (k CryptoKey[T]) PrivateKey() (*T, error)

type DatabaseCredential added in v0.5.4 

type DatabaseCredential struct {
	Path     string // Path is used by the CLI framework
	Username string `json:"username" mapstructure:"username" yaml:"username"`
	Password string `json:"password" mapstructure:"password" yaml:"password"`
	Database string `json:"database" mapstructure:"database" yaml:"database"`
}

type Ed25519Key deprecated added in v0.7.0 

type Ed25519Key struct {
	Path string // Path is used by the CLI framework
	Key  string `json:"key" mapstructure:"key" yaml:"key"`
}

Ed25519Key is an ed25519 key whos value is stored in base64 encoded DER.

Deprecated: use CryptoKey instead.

func (*Ed25519Key) Ed25519PrivateKey added in v0.7.0 

func (k *Ed25519Key) Ed25519PrivateKey() (ed25519.PrivateKey, error)

type Handle 

type Handle interface {
	Reference() string
}

type NoopClient 

type NoopClient struct {
	// contains filtered or unexported fields
}

NoopClient does nothing and will never fail. It returns empty but non-nil credentials and handles where needed. This is useful for when code paths expect a secret client but using one is not needed.

func (*NoopClient) AWSAssumeRole 

func (c *NoopClient) AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error)

func (*NoopClient) AWSAssumeRoleSimple 

func (c *NoopClient) AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*NoopClient) AWSIAMUser 

func (c *NoopClient) AWSIAMUser(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*NoopClient) Authenticate 

func (c *NoopClient) Authenticate(ctx context.Context) error

func (*NoopClient) DatabaseCredential 

func (c *NoopClient) DatabaseCredential(ctx context.Context, path string) (*Credential, Handle, error)

func (*NoopClient) Decrypt 

func (c *NoopClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error)

func (*NoopClient) DecryptAEAD 

func (c *NoopClient) DecryptAEAD(ctx context.Context, suffix, data string, aad []fmt.Stringer) ([]byte, error)

func (*NoopClient) Destroy 

func (c *NoopClient) Destroy(h Handle) error

func (*NoopClient) Encrypt 

func (c *NoopClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error)

func (*NoopClient) EncryptAEAD 

func (c *NoopClient) EncryptAEAD(ctx context.Context, suffix string, data []byte, aad []fmt.Stringer) (string, error)

func (*NoopClient) MakeNonCritical 

func (c *NoopClient) MakeNonCritical(h Handle) error

func (*NoopClient) Notifications 

func (c *NoopClient) Notifications() <-chan Renewal

func (*NoopClient) RawSecret 

func (c *NoopClient) RawSecret(ctx context.Context, path string, out any) (Handle, error)

func (*NoopClient) Run 

func (c *NoopClient) Run(ctx context.Context, wg *sync.WaitGroup) error

func (*NoopClient) Secret 

func (c *NoopClient) Secret(ctx context.Context, path string, out any) (Handle, error)

func (*NoopClient) WriteSecret 

func (c *NoopClient) WriteSecret(ctx context.Context, path string, in any) error

type NoopHandle 

type NoopHandle struct{}

func (*NoopHandle) Reference 

func (h *NoopHandle) Reference() string

type Oauth2Token added in v0.5.3 

type Oauth2Token struct {
	Path         string // Path is used by the CLI framework
	AccessToken  string `mapstructure:"access_token"`
	TokenType    string `mapstructure:"token_type"`
	RefreshToken string `mapstructure:"refresh_token"`
	Expiry       string `mapstructure:"expiry"`
}

func (Oauth2Token) ToXOauth2Token added in v0.5.3 

func (t Oauth2Token) ToXOauth2Token() (*oauth2.Token, error)

type OauthCredential added in v0.5.2 

type OauthCredential struct {
	Path         string // Path is used by the CLI framework
	ClientId     string `json:"client_id" mapstructure:"client_id" yaml:"client_id"`
	ClientSecret string `json:"client_secret" mapstructure:"client_secret" yaml:"client_secret"`
}

type RSAKey deprecated 

type RSAKey struct {
	Path string // Path is used by the CLI framework
	Key  string `json:"key" mapstructure:"key" yaml:"key"`
}

RSAKey is an RSA key whos value is stored in base64 encoded DER.

Deprecated: use CryptoKey instead.

func MustGetRSAKey 

func MustGetRSAKey(c Client, ctx context.Context, path string) *RSAKey

func (*RSAKey) RSAPrivateKey 

func (k *RSAKey) RSAPrivateKey() (*rsa.PrivateKey, error)

type Renewal 

type Renewal struct {
	Name     string
	Critical bool
	Time     time.Time
	Error    error
}

type VaultClient 

type VaultClient struct {
	sync.Mutex
	// contains filtered or unexported fields
}

func (*VaultClient) AWSAssumeRole 

func (c *VaultClient) AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error)

func (*VaultClient) AWSAssumeRoleSimple 

func (c *VaultClient) AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*VaultClient) AWSIAMUser 

func (c *VaultClient) AWSIAMUser(ctx context.Context, name string) (*AWSCredential, Handle, error)

func (*VaultClient) Authenticate 

func (c *VaultClient) Authenticate(ctx context.Context) error

func (*VaultClient) DatabaseCredential 

func (c *VaultClient) DatabaseCredential(ctx context.Context, suffix string) (*Credential, Handle, error)

func (*VaultClient) Decrypt 

func (c *VaultClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error)

func (*VaultClient) DecryptAEAD 

func (c *VaultClient) DecryptAEAD(ctx context.Context, suffix, data string, aad []fmt.Stringer) ([]byte, error)

func (*VaultClient) Destroy 

func (c *VaultClient) Destroy(h Handle) error

func (*VaultClient) Encrypt 

func (c *VaultClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error)

func (*VaultClient) EncryptAEAD 

func (c *VaultClient) EncryptAEAD(ctx context.Context, suffix string, data []byte, aad []fmt.Stringer) (string, error)

func (*VaultClient) MakeNonCritical 

func (c *VaultClient) MakeNonCritical(h Handle) error

func (*VaultClient) Notifications 

func (c *VaultClient) Notifications() <-chan Renewal

func (*VaultClient) RawSecret 

func (c *VaultClient) RawSecret(ctx context.Context, path string, out any) (Handle, error)

func (*VaultClient) Run 

func (c *VaultClient) Run(ctx context.Context, wg *sync.WaitGroup) error

func (*VaultClient) Secret 

func (c *VaultClient) Secret(ctx context.Context, suffix string, out any) (Handle, error)

func (*VaultClient) SetAuth added in v0.7.0 

func (c *VaultClient) SetAuth(a api.AuthMethod)

SetAuth is exposed for advanced clients to do unusual auth (such as overriding auth for UserPass). This is not part of the public API guarantee and may be broken at any point without a major version rev.

func (*VaultClient) VaultToken 

func (c *VaultClient) VaultToken() string

VaultToken is not part of the official API but is exposed for clients that need to gain access to this for some reason. There are no compatibility guarantees with this method and it's use limits portability.

func (*VaultClient) WriteSecret 

func (c *VaultClient) WriteSecret(ctx context.Context, suffix string, in any) error

type VaultClientConfig 

type VaultClientConfig struct {
	Host       string `env:"VAULT_ADDR" yaml:"vault_addr" json:"vault_addr"`
	Token      string `env:"VAULT_TOKEN" yaml:"vault_token" json:"vault_token"`
	RoleId     string `env:"VAULT_ROLE_ID" yaml:"vault_role_id" json:"vault_role_id"`
	RoleSecret string `env:"VAULT_SECRET_ID" yaml:"vault_secret_id" json:"vault_secret_id"`
	JWT        string `env:"VAULT_JWT" yaml:"vault_jwt" json:"vault_jwt"`
	JWTRole    string `env:"VAULT_JWT_ROLE" yaml:"vault_jwt_role" json:"vault_jwt_role"`
	Increment  int    `env:"VAULT_INCREMENT" yaml:"vault_increment" json:"vault_increment"`
	AuthMethod api.AuthMethod
}

func (*VaultClientConfig) Validate 

func (c *VaultClientConfig) Validate() error

type VaultHandle 

type VaultHandle struct {
	// contains filtered or unexported fields
}

func (*VaultHandle) Reference 

func (h *VaultHandle) Reference() string

type VaultServiceClient 

type VaultServiceClient interface {
	Auth() *api.Auth
	Sys() *api.Sys
	Token() string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.