Documentation ¶
Overview ¶
Package secrets provides an interface for a simple secret store: you ask it for a secret (a byte blob, identifies by some key), and it returns it to you (current version, as well as a bunch of previous versions). Caller are supposed to use the secret for an operation and then forget it (e.g. do not try to store it elsewhere).
Secure storage, retrieval and rotation of secrets is outside of the scope of this interface: it's the responsibility of the implementation.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrNoStoreConfigured is returned by GetSecret if secret store is not in // the context. ErrNoStoreConfigured = errors.New("secrets.Store is not in the context") )
var ( // ErrNoSuchSecret is returned by Store.GetSecret if it can't find a secret. ErrNoSuchSecret = errors.New("secret not found") )
Functions ¶
Types ¶
type DerivedStore ¶
type DerivedStore struct {
// contains filtered or unexported fields
}
DerivedStore implements Store by deriving secrets from some single master secret using HKDF.
Caches all derived secrets internally forever. Assumes the set of possible key names is limited.
func NewDerivedStore ¶
func NewDerivedStore(root Secret) *DerivedStore
NewDerivedStore returns a store that derives secrets from the given root key.
func (*DerivedStore) GetSecret ¶
func (d *DerivedStore) GetSecret(name string) (Secret, error)
GetSecret returns a generated secret given its key.
func (*DerivedStore) SetRoot ¶
func (d *DerivedStore) SetRoot(root Secret)
SetRoot replaces the root key used to derive secrets.
type Secret ¶
type Secret struct { Current []byte `json:"current"` // current value of the secret, always set Previous [][]byte `json:"previous,omitempty"` // optional list of previous values, most recent first }
Secret represents a current value of a secret as well as a set of few previous values. Previous values are important when key is being rotated: there may be valid outstanding derivatives of previous values of the secret.
func GetSecret ¶
GetSecret is a shortcut for grabbing a Store from the context and using its GetSecret method.
If the context doesn't have Store set, returns ErrNoStoreConfigured.
type StaticStore ¶
StaticStore is Store with predefined secrets.
type Store ¶
type Store interface { // GetSecret returns a secret given its key. // // Store may choose to autogenerate a secret if there's no existing one, or it // may choose to treat it as a error and return ErrNoSuchSecret. GetSecret(name string) (Secret, error) }
Store knows how to retrieve (or autogenerate) a secret given its key.
Directories ¶
Path | Synopsis |
---|---|
Package testsecrets provides a dumb in-memory secret store to use in unit tests.
|
Package testsecrets provides a dumb in-memory secret store to use in unit tests. |