secrets

package
v0.2.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 8, 2025 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package secrets contains the secrets management logic for ToolHive.

Index

Constants

View Source 
const (
	// PasswordEnvVar is the environment variable used to specify the password for encrypting and decrypting secrets.
	PasswordEnvVar = "TOOLHIVE_SECRETS_PASSWORD"

	// ProviderEnvVar is the environment variable used to specify the secrets provider type.
	ProviderEnvVar = "TOOLHIVE_SECRETS_PROVIDER"
)

Variables

View Source 
var Err1PasswordReadOnly = fmt.Errorf("1Password secrets manager is read-only, write operations are not supported")

Err1PasswordReadOnly indicates that the 1Password secrets manager is read-only. Is it returned by operations which attempt to change values in 1Password.

View Source 
var ErrKeyringNotAvailable = errors.New("OS keyring is not available. " +
	"The encrypted provider requires an OS keyring to securely store passwords. " +
	"Please use a different secrets provider (e.g., 1password) " +
	"or ensure your system has a keyring service available")

ErrKeyringNotAvailable is returned when the OS keyring is not available for the encrypted provider.

View Source 
var ErrSecretsNotSetup = errors.New("secrets provider not configured. " +
	"Please run 'thv secret setup' to configure a secrets provider first")

ErrSecretsNotSetup is returned when secrets functionality is used before running setup.

View Source 
var ErrUnknownManagerType = errors.New("unknown secret manager type")

ErrUnknownManagerType is returned when an invalid value for ProviderType is specified.

Functions

func GenerateSecurePassword added in v0.0.48 

func GenerateSecurePassword() (string, error)

GenerateSecurePassword generates a cryptographically secure random password

func GetSecretsPassword 

func GetSecretsPassword(optionalPassword string) ([]byte, error)

GetSecretsPassword returns the password to use for encrypting and decrypting secrets. If optionalPassword is provided and keyring is not yet setup, it uses that password and stores it. Otherwise, it uses the current functionality (read from keyring or stdin).

func IsKeyringAvailable added in v0.0.48 

func IsKeyringAvailable() bool

IsKeyringAvailable tests if the OS keyring is available by attempting to set and delete a test value.

func ResetKeyringSecret 

func ResetKeyringSecret() error

ResetKeyringSecret clears out the secret from the keystore (if present).

func SecretParametersToCLI added in v0.0.34 

func SecretParametersToCLI(params []SecretParameter) []string

SecretParametersToCLI does the reverse of `ParseSecretParameter` TODO: It may be possible to get rid of this with refactoring.

Types

type EncryptedManager 

type EncryptedManager struct {
	// contains filtered or unexported fields
}

EncryptedManager stores secrets in an encrypted file. AES-256-GCM is used for encryption.

func (*EncryptedManager) Capabilities added in v0.0.43 

func (*EncryptedManager) Capabilities() ProviderCapabilities

Capabilities returns the capabilities of the encrypted provider.

func (*EncryptedManager) Cleanup 

func (e *EncryptedManager) Cleanup() error

Cleanup removes all secrets managed by this manager.

func (*EncryptedManager) DeleteSecret 

func (e *EncryptedManager) DeleteSecret(_ context.Context, name string) error

DeleteSecret removes a secret from the secret store.

func (*EncryptedManager) GetSecret 

func (e *EncryptedManager) GetSecret(_ context.Context, name string) (string, error)

GetSecret retrieves a secret from the secret store.

func (*EncryptedManager) ListSecrets 

func (e *EncryptedManager) ListSecrets(_ context.Context) ([]SecretDescription, error)

ListSecrets returns a list of all secret names stored in the manager.

func (*EncryptedManager) SetSecret 

func (e *EncryptedManager) SetSecret(_ context.Context, name, value string) error

SetSecret stores a secret in the secret store.

type NoneManager added in v0.0.44 

type NoneManager struct{}

NoneManager is a no-op secrets provider that doesn't store or retrieve secrets. It's designed for use in Kubernetes environments where secrets are provided as environment variables or file mounts, eliminating the need for interactive password prompts.

func (*NoneManager) Capabilities added in v0.0.44 

func (*NoneManager) Capabilities() ProviderCapabilities

Capabilities returns the capabilities of the none provider. The none provider is essentially read-only but doesn't actually read anything.

func (*NoneManager) Cleanup added in v0.0.44 

func (*NoneManager) Cleanup() error

Cleanup is a no-op for the none provider since there's nothing to clean up.

func (*NoneManager) DeleteSecret added in v0.0.44 

func (*NoneManager) DeleteSecret(_ context.Context, name string) error

DeleteSecret always returns an error indicating that the none provider doesn't support secret deletion.

func (*NoneManager) GetSecret added in v0.0.44 

func (*NoneManager) GetSecret(_ context.Context, name string) (string, error)

GetSecret always returns an error indicating that the none provider doesn't support secret retrieval.

func (*NoneManager) ListSecrets added in v0.0.44 

func (*NoneManager) ListSecrets(_ context.Context) ([]SecretDescription, error)

ListSecrets returns an empty list since the none provider doesn't store any secrets.

func (*NoneManager) SetSecret added in v0.0.44 

func (*NoneManager) SetSecret(_ context.Context, name, _ string) error

SetSecret always returns an error indicating that the none provider doesn't support secret storage.

type OnePasswordManager added in v0.0.32 

type OnePasswordManager struct {
	// contains filtered or unexported fields
}

OnePasswordManager manages secrets in 1Password.

func NewOnePasswordManagerWithClient added in v0.0.43 

func NewOnePasswordManagerWithClient(client clients.OnePasswordClient) *OnePasswordManager

NewOnePasswordManagerWithClient creates an instance of OnePasswordManager with a provided 1password client. This function is primarily intended for testing purposes.

func (*OnePasswordManager) Capabilities added in v0.0.43 

func (*OnePasswordManager) Capabilities() ProviderCapabilities

Capabilities returns the capabilities of the 1Password provider. Read-only provider with listing support.

func (*OnePasswordManager) Cleanup added in v0.0.32 

func (*OnePasswordManager) Cleanup() error

Cleanup is not needed for 1Password.

func (*OnePasswordManager) DeleteSecret added in v0.0.32 

func (*OnePasswordManager) DeleteSecret(_ context.Context, _ string) error

DeleteSecret is not supported for 1Password unless there is demand for it.

func (*OnePasswordManager) GetSecret added in v0.0.32 

func (o *OnePasswordManager) GetSecret(ctx context.Context, path string) (string, error)

GetSecret retrieves a secret from 1Password.

func (*OnePasswordManager) ListSecrets added in v0.0.32 

func (o *OnePasswordManager) ListSecrets(ctx context.Context) ([]SecretDescription, error)

ListSecrets lists the paths to the secrets in 1Password. 1Password has a hierarchy of vaults, items, and fields. Each secret is represented as a path in the format: op://<vault>/<item>/<field>

func (*OnePasswordManager) SetSecret added in v0.0.32 

func (*OnePasswordManager) SetSecret(_ context.Context, _, _ string) error

SetSecret is not supported for 1Password unless there is demand for it.

type Provider added in v0.0.32 

type Provider interface {
	GetSecret(ctx context.Context, name string) (string, error)
	SetSecret(ctx context.Context, name, value string) error
	DeleteSecret(ctx context.Context, name string) error
	ListSecrets(ctx context.Context) ([]SecretDescription, error)
	Cleanup() error
	// Capabilities returns what operations this provider supports
	Capabilities() ProviderCapabilities
}

Provider describes a type which can manage secrets.

func CreateSecretProvider added in v0.0.33 

func CreateSecretProvider(managerType ProviderType) (Provider, error)

CreateSecretProvider creates the specified type of secrets provider. TODO CREATE function does not actually create anything, refactor or rename

func CreateSecretProviderWithPassword added in v0.0.48 

func CreateSecretProviderWithPassword(managerType ProviderType, password string) (Provider, error)

CreateSecretProviderWithPassword creates the specified type of secrets provider with an optional password. If password is empty, it uses the current functionality (read from keyring or stdin). If password is provided, it uses that password and stores it in the keyring if not already setup.

func NewEncryptedManager 

func NewEncryptedManager(filePath string, key []byte) (Provider, error)

NewEncryptedManager creates an instance of EncryptedManager.

func NewNoneManager added in v0.0.44 

func NewNoneManager() (Provider, error)

NewNoneManager creates an instance of NoneManager.

func NewOnePasswordManager added in v0.0.32 

func NewOnePasswordManager() (Provider, error)

NewOnePasswordManager creates an instance of OnePasswordManager.

type ProviderCapabilities added in v0.0.43 

type ProviderCapabilities struct {
	CanRead    bool
	CanWrite   bool
	CanDelete  bool
	CanList    bool
	CanCleanup bool
}

ProviderCapabilities represents what operations a secrets provider supports.

func (ProviderCapabilities) IsReadOnly added in v0.0.43 

func (pc ProviderCapabilities) IsReadOnly() bool

IsReadOnly returns true if the provider only supports read operations.

func (ProviderCapabilities) IsReadWrite added in v0.0.43 

func (pc ProviderCapabilities) IsReadWrite() bool

IsReadWrite returns true if the provider supports both read and write operations.

func (ProviderCapabilities) String added in v0.0.43 

func (pc ProviderCapabilities) String() string

String returns a human-readable description of the capabilities.

type ProviderType 

type ProviderType string

ProviderType represents an enum of the types of available secrets providers. 

const (
	// EncryptedType represents the encrypted secret provider.
	EncryptedType ProviderType = "encrypted"

	// OnePasswordType represents the 1Password secret provider.
	OnePasswordType ProviderType = "1password"

	// NoneType represents the none secret provider.
	NoneType ProviderType = "none"
)

type SecretDescription added in v0.0.43 

type SecretDescription struct {
	// Key is the unique identifier for the secret, used when retrieving it.
	Key string `json:"key"`
	// Description provides a human-readable description of the secret
	// Particularly useful for 1password.
	// May be empty if no description is available.
	Description string `json:"description"`
}

SecretDescription is returned by `ListSecrets`.

type SecretParameter 

type SecretParameter struct {
	Name   string `json:"name"`
	Target string `json:"target"`
}

SecretParameter represents a parsed `--secret` parameter.

func ParseSecretParameter 

func ParseSecretParameter(parameter string) (SecretParameter, error)

ParseSecretParameter creates an instance of SecretParameter from a string. Expected format: `<Name>,target=<Target>`.

type SetupResult added in v0.0.48 

type SetupResult struct {
	ProviderType ProviderType
	Success      bool
	Message      string
	Error        error
}

SetupResult contains the result of a provider setup operation

func ValidateProvider added in v0.0.48 

func ValidateProvider(ctx context.Context, providerType ProviderType) *SetupResult

ValidateProvider validates that a provider can be created and performs basic functionality tests

func ValidateProviderWithPassword added in v0.0.48 

func ValidateProviderWithPassword(ctx context.Context, providerType ProviderType, password string) *SetupResult

ValidateProviderWithPassword validates that a provider can be created and performs basic functionality tests. If password is provided for encrypted provider, it uses that password instead of reading from stdin.

Source Files

View all Source files

Directories

Path Synopsis
Package aes contains functions for encrypting and decrypting data using AES-GCM
 Package aes contains functions for encrypting and decrypting data using AES-GCM
Package clients contains code for connecting to secret provider APIs.
 Package clients contains code for connecting to secret provider APIs.
mocks
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.