secrets

Documentation

Index

• Variables
• type Envelope
  • func EnvelopeErr(req Request, err error) Envelope
  • func (e Envelope) MarshalJSON() ([]byte, error)
• type ErrInvalidID
  • func (e ErrInvalidID) Error() string
• type ID
  • func MustParseID(s string) ID
  • func ParseID(s string) (ID, error)
• type Pattern
  • func MustParsePattern(s string) Pattern
  • func ParsePattern(s string) (Pattern, error)
• type Request
  • func (r Request) MarshalJSON() ([]byte, error)
• type Resolver

Variables

var (
	ErrNotFound     = errors.New("secret not found")
	ErrAccessDenied = errors.New("access denied") // nuh, uh, uh!
	ErrIDMismatch   = errors.New("id mismatch")
)

var ErrInvalidPattern = errors.New("invalid pattern")

Types

type Envelope

type Envelope struct {
	ID         ID        `json:"-"`
	Value      []byte    `json:"-"`
	Provider   string    `json:"-"`
	Version    string    `json:"-"`
	Error      string    `json:"-"`
	CreatedAt  time.Time `json:"-"`
	ResolvedAt time.Time `json:"-"`
	ExpiresAt  time.Time `json:"-"`
}

func EnvelopeErr

func EnvelopeErr(req Request, err error) Envelope

func (Envelope) MarshalJSON

func (e Envelope) MarshalJSON() ([]byte, error)

type ErrInvalidID

type ErrInvalidID struct {
	ID string
}

func (ErrInvalidID) Error

func (e ErrInvalidID) Error() string

type ID

type ID interface {
	// String formats the [IDNew] as a string
	String() string
	// Match the [IDNew] against a [PatternNew]
	// It checks if a given identifier matches the pattern.
	// - "*" matches a single component
	// - "**" matches zero or more components
	// - "/" is the separator
	Match(pattern Pattern) bool
}

ID contains a secret identifier. Valid secret identifiers must match the format [A-Za-z0-9.-]+(/[A-Za-z0-9.-]+)+?.

For storage, we don't really differentiate much about the ID format but by convention we do simple, slash-separated management, providing a groupable access control system for management across plugins.

func MustParseID

func MustParseID(s string) ID

MustParseID parses a string into a ID and behaves similar to ParseID, however, it panics when the id is invalid

func ParseID

func ParseID(s string) (ID, error)

ParseID creates a new ID from a string If a validation error occurs, it returns nil and the error. Rules: - Components separated by '/' - Each component is non-empty - Only characters A-Z, a-z, 0-9, '.', '_' or '-' - No leading, trailing, or double slashes

type Pattern

type Pattern interface {
	// Match the [PatternNew] against an [IDNew]
	Match(id ID) bool
	// String formats the [Pattern] as a string
	String() string
}

Pattern can be used to match secret identifiers. Valid patterns must follow the same validation rules as secret identifiers, with the exception that '*' can be used to match a single component, and '**' can be used to match zero or more components.

func MustParsePattern

func MustParsePattern(s string) Pattern

MustParsePattern parses a string into a Pattern like with ParsePattern, however, it panics when a validation error occurs.

func ParsePattern

func ParsePattern(s string) (Pattern, error)

ParsePattern parses a string into a Pattern Rules: - Components separated by '/' - Each component is non-empty - Only characters A-Z, a-z, 0-9, '.', '-', '_' or '*' - No leading, trailing, or double slashes - Asterisks rules:

• '*' cannot be mixed with other characters in the same component
• there can be no more than two '*' per component

type Request

type Request struct {
	ID ID `json:"-"`

	// Provider can be optionally specified to restrict the resolver
	// to a particular provider stack.
	Provider    string    `json:"-"`
	ClientID    string    `json:"-"`
	RequestedAt time.Time `json:"-"`
}

func (Request) MarshalJSON

func (r Request) MarshalJSON() ([]byte, error)

type Resolver

type Resolver interface {
	GetSecret(ctx context.Context, request Request) (Envelope, error)
}