secrets

package
v0.40.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 10, 2024 License: Apache-2.0 Imports: 7 Imported by: 67

Documentation

Overview

Package secrets provides an easy and portable way to encrypt and decrypt messages. Subpackages contain driver implementations of secrets for supported services.

See https://gocloud.dev/howto/secrets/ for a detailed how-to guide.

OpenCensus Integration

OpenCensus supports tracing and metric collection for multiple languages and backend providers. See https://opencensus.io.

This API collects OpenCensus traces and metrics for the following methods:

  • Encrypt
  • Decrypt

All trace and metric names begin with the package import path. The traces add the method name. For example, "gocloud.dev/secrets/Encrypt". The metrics are "completed_calls", a count of completed method calls by driver, method and status (error code); and "latency", a distribution of method latency by driver and method. For example, "gocloud.dev/secrets/latency".

To enable trace collection in your application, see "Configure Exporter" at https://opencensus.io/quickstart/go/tracing. To enable metric collection in your application, see "Exporting stats" at https://opencensus.io/quickstart/go/metrics.

Example
package main

import (
	"context"
	"fmt"
	"log"

	_ "gocloud.dev/secrets/gcpkms"
	"gocloud.dev/secrets/localsecrets"
)

func main() {
	ctx := context.Background()

	// Construct a *secrets.Keeper from one of the secrets subpackages.
	// This example uses localsecrets.
	sk, err := localsecrets.NewRandomKey()
	if err != nil {
		log.Fatal(err)
	}
	keeper := localsecrets.NewKeeper(sk)
	defer keeper.Close()

	// Now we can use keeper to Encrypt.
	plaintext := []byte("Go CDK Secrets")
	ciphertext, err := keeper.Encrypt(ctx, plaintext)
	if err != nil {
		log.Fatal(err)
	}

	// And/or Decrypt.
	decrypted, err := keeper.Decrypt(ctx, ciphertext)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println(string(decrypted))

}
Output:

Go CDK Secrets
Example (ErrorAs)
package main

import (
	"context"
	"fmt"
	"log"

	"gocloud.dev/secrets"
	_ "gocloud.dev/secrets/gcpkms"
	"google.golang.org/grpc/status"
)

func main() {
	// This example is specific to the gcpkms implementation; it
	// demonstrates access to the underlying google.golang.org/grpc/status.Status
	// type.
	// The types exposed for As by gcpkms are documented in
	// https://godoc.org/gocloud.dev/secrets/gcpkms#hdr-As
	ctx := context.Background()

	const url = "gcpkms://projects/proj/locations/global/keyRings/test/ring/wrongkey"
	keeper, err := secrets.OpenKeeper(ctx, url)
	if err != nil {
		log.Fatal(err)
	}
	defer keeper.Close()

	plaintext := []byte("Go CDK secrets")
	_, err = keeper.Encrypt(ctx, plaintext)
	if err != nil {
		var s *status.Status
		if keeper.ErrorAs(err, &s) {
			fmt.Println(s.Code())
		}
	}
}
Output:

Example (OpenFromURL)
package main

import (
	"context"
	"fmt"
	"log"

	"gocloud.dev/secrets"
	_ "gocloud.dev/secrets/localsecrets"
)

func main() {
	ctx := context.Background()

	// Create a Keeper using a URL.
	// This example uses "localsecrets", the in-memory implementation.
	// We need to add a blank import line to register the localsecrets driver's
	// URLOpener, which implements secrets.KeeperURLOpener:
	// import _ "gocloud.dev/secrets/localsecrets"
	// localsecrets registers for the "base64key" scheme.
	// All secrets.OpenKeeper URLs also work with "secrets+" or "secrets+keeper+" prefixes,
	// e.g., "secrets+base64key://..." or "secrets+variable+base64key://...".
	// All secrets URLs also work with the "secrets+" prefix, e.g., "secrets+base64key://".
	k, err := secrets.OpenKeeper(ctx, "base64key://smGbjm71Nxd1Ig5FS0wj9SlbzAIrnolCz9bQQ6uAhl4=")
	if err != nil {
		log.Fatal(err)
	}
	defer k.Close()

	// Now we can use k to encrypt/decrypt.
	plaintext := []byte("Go CDK Secrets")
	ciphertext, err := k.Encrypt(ctx, plaintext)
	if err != nil {
		log.Fatal(err)
	}
	decrypted, err := k.Decrypt(ctx, ciphertext)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println(string(decrypted))

}
Output:

Go CDK Secrets

Index

Examples

Constants

This section is empty.

Variables

View Source
var NewKeeper = newKeeper

NewKeeper is intended for use by drivers only. Do not use in application code.

View Source
var (

	// OpenCensusViews are predefined views for OpenCensus metrics.
	// The views include counts and latency distributions for API method calls.
	// See the example at https://godoc.org/go.opencensus.io/stats/view for usage.
	OpenCensusViews = oc.Views(pkgName, latencyMeasure)
)

Functions

This section is empty.

Types

type Keeper

type Keeper struct {
	// contains filtered or unexported fields
}

Keeper does encryption and decryption. To create a Keeper, use constructors found in driver subpackages.

func OpenKeeper added in v0.12.0

func OpenKeeper(ctx context.Context, urlstr string) (*Keeper, error)

OpenKeeper opens the Keeper identified by the URL given. See the URLOpener documentation in driver subpackages for details on supported URL formats, and https://gocloud.dev/concepts/urls for more information.

func (*Keeper) Close added in v0.13.0

func (k *Keeper) Close() error

Close releases any resources used for the Keeper.

func (*Keeper) Decrypt

func (k *Keeper) Decrypt(ctx context.Context, ciphertext []byte) (plaintext []byte, err error)

Decrypt decrypts the ciphertext and returns the plaintext.

Example
package main

import (
	"context"
	"log"

	"gocloud.dev/secrets"
	_ "gocloud.dev/secrets/gcpkms"
)

func main() {
	// PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored.
	// PRAGMA: On gocloud.dev, hide lines until the next blank line.
	ctx := context.Background()
	var keeper *secrets.Keeper

	var cipherText []byte // obtained from elsewhere and random-looking
	plainText, err := keeper.Decrypt(ctx, cipherText)
	if err != nil {
		log.Fatal(err)
	}

	// PRAGMA: On gocloud.dev, hide the rest of the function.
	_ = plainText
}
Output:

func (*Keeper) Encrypt

func (k *Keeper) Encrypt(ctx context.Context, plaintext []byte) (ciphertext []byte, err error)

Encrypt encrypts the plaintext and returns the cipher message.

Example
package main

import (
	"context"
	"log"

	"gocloud.dev/secrets"
	_ "gocloud.dev/secrets/gcpkms"
)

func main() {
	// PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored.
	// PRAGMA: On gocloud.dev, hide lines until the next blank line.
	ctx := context.Background()
	var keeper *secrets.Keeper

	plainText := []byte("Secrets secrets...")
	cipherText, err := keeper.Encrypt(ctx, plainText)
	if err != nil {
		log.Fatal(err)
	}

	// PRAGMA: On gocloud.dev, hide the rest of the function.
	_ = cipherText
}
Output:

func (*Keeper) ErrorAs added in v0.10.0

func (k *Keeper) ErrorAs(err error, i interface{}) bool

ErrorAs converts i to driver-specific types. See https://gocloud.dev/concepts/as/ for background information and the driver package documentation for the specific types supported for that driver.

ErrorAs panics if i is nil or not a pointer. ErrorAs returns false if err == nil.

type KeeperURLOpener added in v0.12.0

type KeeperURLOpener interface {
	OpenKeeperURL(ctx context.Context, u *url.URL) (*Keeper, error)
}

KeeperURLOpener represents types that can open Keepers based on a URL. The opener must not modify the URL argument. OpenKeeperURL must be safe to call from multiple goroutines.

This interface is generally implemented by types in driver packages.

type URLMux added in v0.12.0

type URLMux struct {
	// contains filtered or unexported fields
}

URLMux is a URL opener multiplexer. It matches the scheme of the URLs against a set of registered schemes and calls the opener that matches the URL's scheme. See https://gocloud.dev/concepts/urls/ for more information.

The zero value is a multiplexer with no registered schemes.

func DefaultURLMux added in v0.12.0

func DefaultURLMux() *URLMux

DefaultURLMux returns the URLMux used by OpenKeeper.

Driver packages can use this to register their KeeperURLOpener on the mux.

func (*URLMux) KeeperSchemes added in v0.13.0

func (mux *URLMux) KeeperSchemes() []string

KeeperSchemes returns a sorted slice of the registered Keeper schemes.

func (*URLMux) OpenKeeper added in v0.12.0

func (mux *URLMux) OpenKeeper(ctx context.Context, urlstr string) (*Keeper, error)

OpenKeeper calls OpenKeeperURL with the URL parsed from urlstr. OpenKeeper is safe to call from multiple goroutines.

func (*URLMux) OpenKeeperURL added in v0.12.0

func (mux *URLMux) OpenKeeperURL(ctx context.Context, u *url.URL) (*Keeper, error)

OpenKeeperURL dispatches the URL to the opener that is registered with the URL's scheme. OpenKeeperURL is safe to call from multiple goroutines.

func (*URLMux) RegisterKeeper added in v0.12.0

func (mux *URLMux) RegisterKeeper(scheme string, opener KeeperURLOpener)

RegisterKeeper registers the opener with the given scheme. If an opener already exists for the scheme, RegisterKeeper panics.

func (*URLMux) ValidKeeperScheme added in v0.13.0

func (mux *URLMux) ValidKeeperScheme(scheme string) bool

ValidKeeperScheme returns true iff scheme has been registered for Keepers.

Directories

Path Synopsis
Package awskms provides a secrets implementation backed by AWS KMS.
Package awskms provides a secrets implementation backed by AWS KMS.
Package azurekeyvault provides a secrets implementation backed by Azure KeyVault.
Package azurekeyvault provides a secrets implementation backed by Azure KeyVault.
Package driver defines interfaces to be implemented by secrets drivers, which will be used by the secrets package to interact with the underlying services.
Package driver defines interfaces to be implemented by secrets drivers, which will be used by the secrets package to interact with the underlying services.
Package drivertest provides a conformance test for implementations of the secrets driver.
Package drivertest provides a conformance test for implementations of the secrets driver.
Package gcpkms provides a secrets implementation backed by Google Cloud KMS.
Package gcpkms provides a secrets implementation backed by Google Cloud KMS.
hashivault module
Package localsecrets provides a secrets implementation using a locally provided symmetric key.
Package localsecrets provides a secrets implementation using a locally provided symmetric key.
vault module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL