secrets

README

secrets

Openstorage support for Key Management Systems

Documentation

Index

• Constants
• Variables
• func KeyContextChecks(keyContext map[string]string, secretData map[string]interface{}) error
• func Register(name string, bInit BackendInit) error
• func SetInstance(secretsInstance Secrets) error
• type BackendInit
• type ErrInvalidKeyContext
  • func (e *ErrInvalidKeyContext) Error() string
• type Secrets
  • func Instance() Secrets
  • func New(name string, secretConfig map[string]interface{}) (Secrets, error)

Constants

const (
	SecretPath = "/var/lib/osd/secrets/"
	// CustomSecretData is a constant used in the key context of the secrets APIs
	// It indicates that the secret provider should not generate secret but use the provided secret
	// in the API
	CustomSecretData = "custom_secret_data"
	// PublicSecretData is a constant used in the key context of Secret APIs
	// It indicates that the API is dealing with the public part of a secret instead
	// of the actual secret
	PublicSecretData = "public_secret_data"
	// OverwriteSecretDataInStore is a constant used in the key context of Secret APIs
	// It indicates whether the secret data stored in the persistent store can
	// be overwritten
	OverwriteSecretDataInStore = "overwrite_secret_data_in_store"
)

const (
	TypeAWS    = "aws-kms"
	TypeAzure  = "azure-kv"
	TypeDCOS   = "dcos"
	TypeDocker = "docker"
	TypeGCloud = "gcloud-kms"
	TypeIBM    = "ibm-kp"
	TypeK8s    = "k8s"
	TypeKVDB   = "kvdb"
	TypeVault  = "vault"
)

const (
	// KeyVaultNamespace is a keyContext parameter for vault secrets.
	KeyVaultNamespace = "vault-namespace"
)

Variables

var (
	// ErrNotSupported returned when implementation of specific function is not supported
	ErrNotSupported = errors.New("implementation not supported")
	// ErrNotAuthenticated returned when not authenticated with secrets endpoint
	ErrNotAuthenticated = errors.New("Not authenticated with the secrets endpoint")
	// ErrInvalidSecretId returned when no secret data is found associated with the id
	ErrInvalidSecretId = errors.New("No Secret Data found for Secret ID")
	// ErrEmptySecretData returned when no secret data is provided to store the secret
	ErrEmptySecretData = errors.New("Secret data cannot be empty")
	// ErrEmptySecretId returned when no secret Name/ID is provided to retrive secret data
	ErrEmptySecretId = errors.New("Secret Name/ID cannot be empty")
	// ErrSecretExists returned when a secret for the given secret id already exists
	ErrSecretExists = errors.New("Secret Id already exists")
	// ErrInvalidSecretData is returned when no secret data is found
	ErrInvalidSecretData = errors.New("Secret Data cannot be empty when CustomSecretData|PublicSecretData flag is set")
)

Functions

func KeyContextChecks

func KeyContextChecks(
	keyContext map[string]string,
	secretData map[string]interface{},
) error

KeyContextChecks performs a series of checks on the keys and values passed through the key context map

func Register

func Register(name string, bInit BackendInit) error

Register adds a new backend KMS

func SetInstance

func SetInstance(secretsInstance Secrets) error

SetInstance sets the singleton instance of the secrets backend.

Types

type BackendInit

type BackendInit func(
	secretConfig map[string]interface{},
) (Secrets, error)

type ErrInvalidKeyContext

type ErrInvalidKeyContext struct {
	Reason string
}

ErrInvalidKeyContext is returned when secret data is provided to the secret APIs with an invalid key context.

func (*ErrInvalidKeyContext) Error

func (e *ErrInvalidKeyContext) Error() string

type Secrets

type Secrets interface {
	// String representation of the backend KMS
	String() string

	// GetSecret returns the secret data associated with the
	// supplied secretId. The secret data / plain text  can be used
	// by callers to encrypt their data. It is assumed that the plain text
	// data will be destroyed by the caller once used.
	GetSecret(
		secretId string,
		keyContext map[string]string,
	) (map[string]interface{}, error)

	// PutSecret will associate an secretId to its secret data
	// provided in the arguments and store it into the secret backend
	PutSecret(
		secretId string,
		plainText map[string]interface{},
		keyContext map[string]string,
	) error

	// DeleteSecret deletes the secret data associated with the
	// supplied secretId.
	DeleteSecret(
		secretId string,
		keyContext map[string]string,
	) error

	// Encrypt encrypts the supplied plain text data using the given key.
	// The API would fetch the plain text key, encrypt the data with it.
	// The plain text key will not be stored anywhere else and would be
	// deleted from memory.
	Encrypt(
		secretId string,
		plaintTextData string,
		keyContext map[string]string,
	) (string, error)

	// Decrypt decrypts the supplied encrypted  data using the given key.
	// The API would fetch the plain text key, decrypt the data with it.
	// The plain text key will not be stored anywhere else and would be
	// deleted from memory.
	Decrypt(
		secretId string,
		encryptedData string,
		keyContext map[string]string,
	) (string, error)

	// Reencrypt decrypts the data with the previous key and re-encrypts it
	// with the new key..
	Rencrypt(
		originalSecretId string,
		newSecretId string,
		originalKeyContext map[string]string,
		newKeyContext map[string]string,
		encryptedData string,
	) (string, error)

	// ListSecrets returns a list of known secretIDs
	ListSecrets() ([]string, error)
}

Secrets interface implemented by backend Key Management Systems (KMS)

func Instance

func Instance() Secrets

Instance returns the instance set via SetInstance. nil if not set.

func New

func New(
	name string,
	secretConfig map[string]interface{},
) (Secrets, error)

New returns a new instance of Secrets backend KMS identified by the supplied name. SecretConfig is a map of key value pairs which could be used for authenticating with the backend