server

package

v0.7.19 Latest Latest Go to latest Published: May 6, 2026 License: MIT Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/gambtho/cronfoundry

Links

Open Source Insights

Documentation ¶

Overview ¶

Package server persists and retrieves secrets under envelope encryption. The SecretStore interface is the single external contract. Implementations: EnvelopePostgresStore (postgres.go) for self-hosted Postgres, and azurekv.KeyVaultStore (sibling package) for Azure Key Vault.

Index ¶

Variables
func GenerateMasterKey() (string, error)
func ParseMasterKey(encoded string) ([]byte, error)
type EnvelopePostgresStore
- func NewEnvelopePostgresStore(pool *pgxpool.Pool, orgID pgtype.UUID, master []byte) *EnvelopePostgresStore
type SecretStore

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrNotFound = errors.New("secretstore: not found")

ErrNotFound is returned by Get when a secret with the given name does not exist.

Functions ¶

func GenerateMasterKey ¶

func GenerateMasterKey() (string, error)

GenerateMasterKey returns a fresh base64-encoded 32-byte master key, suitable for CRONFOUNDRY_MASTER_KEY.

func ParseMasterKey ¶

func ParseMasterKey(encoded string) ([]byte, error)

ParseMasterKey decodes the base64 form used in CRONFOUNDRY_MASTER_KEY. Intended for CLI entry points; callers inside this package use the unexported parseMasterKey directly.

Types ¶

type EnvelopePostgresStore ¶

type EnvelopePostgresStore struct {
	// contains filtered or unexported fields
}

EnvelopePostgresStore is the P2 SecretStore implementation: each secret carries its own DEK, wrapped with the process-wide master key.

func NewEnvelopePostgresStore ¶

func NewEnvelopePostgresStore(pool *pgxpool.Pool, orgID pgtype.UUID, master []byte) *EnvelopePostgresStore

NewEnvelopePostgresStore constructs a store bound to a single org and master key. master must be exactly 32 bytes.

func (*EnvelopePostgresStore) Delete ¶

func (s *EnvelopePostgresStore) Delete(ctx context.Context, name string) error

func (*EnvelopePostgresStore) Get ¶

func (s *EnvelopePostgresStore) Get(ctx context.Context, name string) (string, error)

func (*EnvelopePostgresStore) List ¶

func (s *EnvelopePostgresStore) List(ctx context.Context) ([]string, error)

func (*EnvelopePostgresStore) Put ¶

func (s *EnvelopePostgresStore) Put(ctx context.Context, name, value string) error

type SecretStore ¶

type SecretStore interface {
	// Get returns the cleartext value of the named secret.
	Get(ctx context.Context, name string) (string, error)

	// Put stores a cleartext value under the given name, overwriting any
	// prior version.
	Put(ctx context.Context, name, value string) error

	// Delete removes the secret. Returns nil if the secret does not exist.
	Delete(ctx context.Context, name string) error

	// List returns the names of all secrets, sorted alphabetically.
	// Values are never returned; this is a metadata-only operation.
	List(ctx context.Context) ([]string, error)
}

SecretStore reads, writes, and deletes secret values for a single organization. Callers never see ciphertext, nonces, or DEKs.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
azurekv Package azurekv provides an Azure Key Vault implementation of server.SecretStore.	Package azurekv provides an Azure Key Vault implementation of server.SecretStore.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL