secrets

Documentation

Overview

Package secrets is a lightweight wrapper over a third-party secrets management service, to enforce security and privacy best practices when mapping bidirectionally between autokitteh connections and third-party service details and authentication tokens. This is used by a higher-level gRPC service to manage user and connection secrets.

Index

• Variables
• func New(l *zap.Logger, db db.DB, cfg *Config) (sdkservices.Secrets, error)
• type Config
• type Secrets
  • func NewAWSSecrets(l *zap.Logger, c *Config) (Secrets, error)
  • func NewDatabaseSecrets(l *zap.Logger, db db.DB) (Secrets, error)
  • func NewFakeSecrets(l *zap.Logger) (Secrets, error)
  • func NewFileSecrets(l *zap.Logger, dataDir string) (Secrets, error)
  • func NewVaultSecrets(l *zap.Logger, c *Config) (Secrets, error)

Variables

var Configs = configset.Set[Config]{
	Default: &Config{
		Timeout: 1 * time.Minute,
	},
}

Functions

func New

func New(l *zap.Logger, db db.DB, cfg *Config) (sdkservices.Secrets, error)

Types

type Config

type Config struct {
	Type     string        `koanf:"type"`
	VaultURL string        `koanf:"vault_url"`
	Timeout  time.Duration `koanf:"timeout_duration"`
}

type Secrets

type Secrets interface {
	// Set creates or replaces (i.e. overwrite, not update) a named secret of key-value
	// data. Data size limit = from 25 KiB to 1 MiB, depending on infrastructure:
	//   - https://developer.hashicorp.com/vault/docs/internals/limits
	//   - https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
	//   - https://cloud.google.com/secret-manager/quotas
	//   - https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets
	Set(ctx context.Context, scope, name string, data map[string]string) error
	// Get retrieves the key-value data associated with a named secret.
	// If the name does not exist then we return nothing, not an error.
	Get(ctx context.Context, scope, name string) (map[string]string, error)
	// Append a token (as a key, with the current timestamp as the value)
	// to an existing secret, or create it if it doesn't exist already.
	Append(ctx context.Context, scope, name, token string) error
	// Delete permanently deletes all the metadata and versions of key-value
	// data of a named secret. Deleting a nonexistent name has no effect,
	// but isn't considered an error.
	Delete(ctx context.Context, scope, name string) error
}

Secrets is an internal, generic, minimalistic API for management of autokitteh user secrets. This interface in itself does not enforce isolation - its gRPC wrappers do (based on integration identity) - that's why this interface is internal and not meant for direct usage by autokitteh integrations.

func NewAWSSecrets

func NewAWSSecrets(l *zap.Logger, c *Config) (Secrets, error)

NewAWSSecrets initializes a client connection to AWS Secrets Manager.

func NewDatabaseSecrets

func NewDatabaseSecrets(l *zap.Logger, db db.DB) (Secrets, error)

NewDatabaseSecrets initializes a (simple and persistent, yet insecure) secrets manager for local non-production usage, in AK's relational database. DO NOT STORE REAL SECRETS IN THIS WAY FOR LONG PERIODS OF TIME!

func NewFakeSecrets

func NewFakeSecrets(l *zap.Logger) (Secrets, error)

NewFakeSecrets initializes a fake secrets manager for unit-testing. It's similar to NewFileSecrets, but entirely in-memory.

func NewFileSecrets

func NewFileSecrets(l *zap.Logger, dataDir string) (Secrets, error)

NewFileSecrets initializes a (fake but simple and persistent) secrets manager for local non-production usage, in the form of a JSON file. The file is read only once, when a new client is initialized, and overwritten whenever Set() is called. DO NOT STORE REAL SECRETS IN THIS WAY FOR LONG PERIODS OF TIME!

func NewVaultSecrets

func NewVaultSecrets(l *zap.Logger, c *Config) (Secrets, error)

NewVaultSecrets initializes a client connection to HashiCorp Vault.