kms

package
Version: v2.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 31, 2021 License: AGPL-3.0 Imports: 17 Imported by: 0

Documentation

Overview

Package kms provides Key Management Services support

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrWrongSecretStatus defines the error to return if the secret status is not appropriate
	// for the request operation
	ErrWrongSecretStatus = errors.New("wrong secret status")
	// ErrInvalidSecret defines the error to return if a secret is not valid
	ErrInvalidSecret = errors.New("invalid secret")
)

Functions

func RegisterSecretProvider

func RegisterSecretProvider(scheme string, encryptedStatus SecretStatus, fn func(base BaseSecret, url, masterKey string) SecretProvider)

RegisterSecretProvider register a new secret provider

Types

type BaseSecret

type BaseSecret struct {
	Status         SecretStatus `json:"status,omitempty"`
	Payload        string       `json:"payload,omitempty"`
	Key            string       `json:"key,omitempty"`
	AdditionalData string       `json:"additional_data,omitempty"`
	// 1 means encrypted using a master key
	Mode int `json:"mode,omitempty"`
}

BaseSecret defines the base struct shared among all the secret providers

func (*BaseSecret) GetAdditionalData

func (s *BaseSecret) GetAdditionalData() string

GetAdditionalData returns the secret's additional data

func (*BaseSecret) GetKey

func (s *BaseSecret) GetKey() string

GetKey returns the secret's key

func (*BaseSecret) GetMode

func (s *BaseSecret) GetMode() int

GetMode returns the encryption mode

func (*BaseSecret) GetPayload

func (s *BaseSecret) GetPayload() string

GetPayload returns the secret's payload

func (*BaseSecret) GetStatus

func (s *BaseSecret) GetStatus() SecretStatus

GetStatus returns the secret's status

func (*BaseSecret) SetAdditionalData

func (s *BaseSecret) SetAdditionalData(value string)

SetAdditionalData sets the secret's additional data

func (*BaseSecret) SetKey

func (s *BaseSecret) SetKey(value string)

SetKey sets the secret's key

func (*BaseSecret) SetStatus

func (s *BaseSecret) SetStatus(value SecretStatus)

SetStatus sets the secret's status

type Configuration

type Configuration struct {
	Secrets Secrets `json:"secrets" mapstructure:"secrets"`
}

Configuration defines the KMS configuration

func (*Configuration) Initialize

func (c *Configuration) Initialize() error

Initialize configures the KMS support

type Scheme

type Scheme = string

Scheme defines the supported URL scheme

const (
	SchemeLocal         Scheme = "local"
	SchemeBuiltin       Scheme = "builtin"
	SchemeAWS           Scheme = "awskms"
	SchemeGCP           Scheme = "gcpkms"
	SchemeVaultTransit  Scheme = "hashivault"
	SchemeAzureKeyVault Scheme = "azurekeyvault"
)

supported URL schemes

type Secret

type Secret struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Secret defines the struct used to store confidential data

func NewEmptySecret

func NewEmptySecret() *Secret

NewEmptySecret returns an empty secret

func NewPlainSecret

func NewPlainSecret(payload string) *Secret

NewPlainSecret stores the give payload in a plain text secret

func NewSecret

func NewSecret(status SecretStatus, payload, key, data string) *Secret

NewSecret builds a new Secret using the provided arguments

func (*Secret) Clone

func (s *Secret) Clone() *Secret

Clone returns a copy of the secret object

func (*Secret) Decrypt

func (s *Secret) Decrypt() error

Decrypt decrypts a Secret object

func (*Secret) Encrypt

func (s *Secret) Encrypt() error

Encrypt encrypts a plain text Secret object

func (*Secret) GetAdditionalData

func (s *Secret) GetAdditionalData() string

GetAdditionalData returns the secret additional data

func (*Secret) GetKey

func (s *Secret) GetKey() string

GetKey returns the secret key

func (*Secret) GetMode

func (s *Secret) GetMode() int

GetMode returns the secret mode

func (*Secret) GetPayload

func (s *Secret) GetPayload() string

GetPayload returns the secret payload

func (*Secret) GetStatus

func (s *Secret) GetStatus() SecretStatus

GetStatus returns the secret status

func (*Secret) Hide

func (s *Secret) Hide()

Hide hides info to decrypt data

func (*Secret) IsEmpty

func (s *Secret) IsEmpty() bool

IsEmpty returns true if all fields are empty

func (*Secret) IsEncrypted

func (s *Secret) IsEncrypted() bool

IsEncrypted returns true if the secret is encrypted This isn't a pointer receiver because we don't want to pass a pointer to html template

func (*Secret) IsEqual

func (s *Secret) IsEqual(other *Secret) bool

IsEqual returns true if all the secrets fields are equal

func (*Secret) IsNotPlainAndNotEmpty

func (s *Secret) IsNotPlainAndNotEmpty() bool

IsNotPlainAndNotEmpty returns true if the secret is not plain and not empty. This is an utility method, we update the secret for an existing user if it is empty or plain

func (*Secret) IsPlain

func (s *Secret) IsPlain() bool

IsPlain returns true if the secret is in plain text

func (*Secret) IsRedacted

func (s *Secret) IsRedacted() bool

IsRedacted returns true if the secret is redacted

func (*Secret) IsValid

func (s *Secret) IsValid() bool

IsValid returns true if the secret is not empty and valid

func (*Secret) IsValidInput

func (s *Secret) IsValidInput() bool

IsValidInput returns true if the secret is a valid user input

func (*Secret) MarshalJSON

func (s *Secret) MarshalJSON() ([]byte, error)

MarshalJSON return the JSON encoding of the Secret object

func (*Secret) SetAdditionalData

func (s *Secret) SetAdditionalData(value string)

SetAdditionalData sets the given additional data

func (*Secret) SetKey

func (s *Secret) SetKey(value string)

SetKey sets the key for this secret

func (*Secret) SetStatus

func (s *Secret) SetStatus(value SecretStatus)

SetStatus sets the status for this secret

func (*Secret) TryDecrypt

func (s *Secret) TryDecrypt() error

TryDecrypt decrypts a Secret object if encrypted. It returns a nil error if the object is not encrypted

func (*Secret) UnmarshalJSON

func (s *Secret) UnmarshalJSON(data []byte) error

UnmarshalJSON parses the JSON-encoded data and stores the result in the Secret object

type SecretProvider

type SecretProvider interface {
	Name() string
	Encrypt() error
	Decrypt() error
	IsEncrypted() bool
	GetStatus() SecretStatus
	GetPayload() string
	GetKey() string
	GetAdditionalData() string
	GetMode() int
	SetKey(string)
	SetAdditionalData(string)
	SetStatus(SecretStatus)
	Clone() SecretProvider
}

SecretProvider defines the interface for a KMS secrets provider

func NewLocalSecret

func NewLocalSecret(base BaseSecret, url, masterKey string) SecretProvider

NewLocalSecret returns a SecretProvider that use a locally provided symmetric key

type SecretStatus

type SecretStatus = string

SecretStatus defines the statuses of a Secret object

const (
	// SecretStatusPlain means the secret is in plain text and must be encrypted
	SecretStatusPlain SecretStatus = "Plain"
	// SecretStatusAES256GCM means the secret is encrypted using AES-256-GCM
	SecretStatusAES256GCM SecretStatus = "AES-256-GCM"
	// SecretStatusSecretBox means the secret is encrypted using a locally provided symmetric key
	SecretStatusSecretBox SecretStatus = "Secretbox"
	// SecretStatusGCP means we use keys from Google Cloud Platform’s Key Management Service
	// (GCP KMS) to keep information secret
	SecretStatusGCP SecretStatus = "GCP"
	// SecretStatusAWS means we use customer master keys from Amazon Web Service’s
	// Key Management Service (AWS KMS) to keep information secret
	SecretStatusAWS SecretStatus = "AWS"
	// SecretStatusVaultTransit means we use the transit secrets engine in Vault
	// to keep information secret
	SecretStatusVaultTransit SecretStatus = "VaultTransit"
	// SecretStatusAzureKeyVault means we use Azure KeyVault to keep information secret
	SecretStatusAzureKeyVault SecretStatus = "AzureKeyVault"
	// SecretStatusRedacted means the secret is redacted
	SecretStatusRedacted SecretStatus = "Redacted"
)

type Secrets

type Secrets struct {
	URL             string `json:"url" mapstructure:"url"`
	MasterKeyPath   string `json:"master_key_path" mapstructure:"master_key_path"`
	MasterKeyString string `json:"master_key" mapstructure:"master_key"`
	// contains filtered or unexported fields
}

Secrets define the KMS configuration for encryption/decryption

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL