Documentation ¶
Overview ¶
Package kms provides Key Management Services support
Index ¶
- Variables
- func RegisterSecretProvider(scheme string, encryptedStatus SecretStatus, ...)
- type BaseSecret
- func (s *BaseSecret) GetAdditionalData() string
- func (s *BaseSecret) GetKey() string
- func (s *BaseSecret) GetMode() int
- func (s *BaseSecret) GetPayload() string
- func (s *BaseSecret) GetStatus() SecretStatus
- func (s *BaseSecret) SetAdditionalData(value string)
- func (s *BaseSecret) SetKey(value string)
- func (s *BaseSecret) SetStatus(value SecretStatus)
- type Configuration
- type Scheme
- type Secret
- func (s *Secret) Clone() *Secret
- func (s *Secret) Decrypt() error
- func (s *Secret) Encrypt() error
- func (s *Secret) GetAdditionalData() string
- func (s *Secret) GetKey() string
- func (s *Secret) GetMode() int
- func (s *Secret) GetPayload() string
- func (s *Secret) GetStatus() SecretStatus
- func (s *Secret) Hide()
- func (s *Secret) IsEmpty() bool
- func (s *Secret) IsEncrypted() bool
- func (s *Secret) IsEqual(other *Secret) bool
- func (s *Secret) IsNotPlainAndNotEmpty() bool
- func (s *Secret) IsPlain() bool
- func (s *Secret) IsRedacted() bool
- func (s *Secret) IsValid() bool
- func (s *Secret) IsValidInput() bool
- func (s *Secret) MarshalJSON() ([]byte, error)
- func (s *Secret) SetAdditionalData(value string)
- func (s *Secret) SetKey(value string)
- func (s *Secret) SetStatus(value SecretStatus)
- func (s *Secret) TryDecrypt() error
- func (s *Secret) UnmarshalJSON(data []byte) error
- type SecretProvider
- type SecretStatus
- type Secrets
Constants ¶
This section is empty.
Variables ¶
var ( // ErrWrongSecretStatus defines the error to return if the secret status is not appropriate // for the request operation ErrWrongSecretStatus = errors.New("wrong secret status") // ErrInvalidSecret defines the error to return if a secret is not valid ErrInvalidSecret = errors.New("invalid secret") )
Functions ¶
func RegisterSecretProvider ¶
func RegisterSecretProvider(scheme string, encryptedStatus SecretStatus, fn func(base BaseSecret, url, masterKey string) SecretProvider)
RegisterSecretProvider register a new secret provider
Types ¶
type BaseSecret ¶
type BaseSecret struct { Status SecretStatus `json:"status,omitempty"` Payload string `json:"payload,omitempty"` Key string `json:"key,omitempty"` AdditionalData string `json:"additional_data,omitempty"` // 1 means encrypted using a master key Mode int `json:"mode,omitempty"` }
BaseSecret defines the base struct shared among all the secret providers
func (*BaseSecret) GetAdditionalData ¶
func (s *BaseSecret) GetAdditionalData() string
func (*BaseSecret) GetKey ¶
func (s *BaseSecret) GetKey() string
func (*BaseSecret) GetMode ¶
func (s *BaseSecret) GetMode() int
func (*BaseSecret) GetPayload ¶
func (s *BaseSecret) GetPayload() string
func (*BaseSecret) GetStatus ¶
func (s *BaseSecret) GetStatus() SecretStatus
func (*BaseSecret) SetAdditionalData ¶
func (s *BaseSecret) SetAdditionalData(value string)
func (*BaseSecret) SetKey ¶
func (s *BaseSecret) SetKey(value string)
func (*BaseSecret) SetStatus ¶
func (s *BaseSecret) SetStatus(value SecretStatus)
type Configuration ¶
type Configuration struct {
Secrets Secrets `json:"secrets" mapstructure:"secrets"`
}
Configuration defines the KMS configuration
func (*Configuration) Initialize ¶
func (c *Configuration) Initialize() error
Initialize configures the KMS support
type Secret ¶
Secret defines the struct used to store confidential data
func GetSecretFromCompatString ¶
GetSecretFromCompatString returns a secret from the previous format
func NewPlainSecret ¶
NewPlainSecret stores the give payload in a plain text secret
func NewSecret ¶
func NewSecret(status SecretStatus, payload, key, data string) *Secret
NewSecret builds a new Secret using the provided arguments
func (*Secret) GetAdditionalData ¶
GetAdditionalData returns the secret additional data
func (*Secret) GetPayload ¶
GetPayload returns the secret payload
func (*Secret) GetStatus ¶
func (s *Secret) GetStatus() SecretStatus
GetStatus returns the secret status
func (*Secret) IsEncrypted ¶
IsEncrypted returns true if the secret is encrypted This isn't a pointer receiver because we don't want to pass a pointer to html template
func (*Secret) IsNotPlainAndNotEmpty ¶
IsNotPlainAndNotEmpty returns true if the secret is not plain and not empty. This is an utility method, we update the secret for an existing user if it is empty or plain
func (*Secret) IsRedacted ¶
IsRedacted returns true if the secret is redacted
func (*Secret) IsValidInput ¶
IsValidInput returns true if the secret is a valid user input
func (*Secret) MarshalJSON ¶
MarshalJSON return the JSON encoding of the Secret object
func (*Secret) SetAdditionalData ¶
SetAdditionalData sets the given additional data
func (*Secret) SetStatus ¶
func (s *Secret) SetStatus(value SecretStatus)
SetStatus sets the status for this secret
func (*Secret) TryDecrypt ¶
TryDecrypt decrypts a Secret object if encrypted. It returns a nil error if the object is not encrypted
func (*Secret) UnmarshalJSON ¶
UnmarshalJSON parses the JSON-encoded data and stores the result in the Secret object
type SecretProvider ¶
type SecretProvider interface { Name() string Encrypt() error Decrypt() error IsEncrypted() bool GetStatus() SecretStatus GetPayload() string GetKey() string GetAdditionalData() string GetMode() int SetKey(string) SetAdditionalData(string) SetStatus(SecretStatus) Clone() SecretProvider }
SecretProvider defines the interface for a KMS secrets provider
func NewLocalSecret ¶
func NewLocalSecret(base BaseSecret, url, masterKey string) SecretProvider
NewLocalSecret returns a SecretProvider that use a locally provided symmetric key
type SecretStatus ¶
type SecretStatus = string
SecretStatus defines the statuses of a Secret object
const ( // SecretStatusPlain means the secret is in plain text and must be encrypted SecretStatusPlain SecretStatus = "Plain" // SecretStatusAES256GCM means the secret is encrypted using AES-256-GCM SecretStatusAES256GCM SecretStatus = "AES-256-GCM" // SecretStatusSecretBox means the secret is encrypted using a locally provided symmetric key SecretStatusSecretBox SecretStatus = "Secretbox" // SecretStatusGCP means we use keys from Google Cloud Platform’s Key Management Service // (GCP KMS) to keep information secret SecretStatusGCP SecretStatus = "GCP" // SecretStatusAWS means we use customer master keys from Amazon Web Service’s // Key Management Service (AWS KMS) to keep information secret SecretStatusAWS SecretStatus = "AWS" // SecretStatusVaultTransit means we use the transit secrets engine in Vault // to keep information secret SecretStatusVaultTransit SecretStatus = "VaultTransit" // SecretStatusAzureKeyVault means we use Azure KeyVault to keep information secret SecretStatusAzureKeyVault SecretStatus = "AzureKeyVault" // SecretStatusRedacted means the secret is redacted SecretStatusRedacted SecretStatus = "Redacted" )
type Secrets ¶
type Secrets struct { URL string `json:"url" mapstructure:"url"` MasterKeyPath string `json:"master_key_path" mapstructure:"master_key_path"` MasterKeyString string `json:"master_key" mapstructure:"master_key"` // contains filtered or unexported fields }
Secrets define the KMS configuration for encryption/decryption