secrets

package

v0.0.0-...-a0a3655 Latest Latest Go to latest Published: Jun 28, 2019 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/asdfghjjklllllaaa/luci-go

Links

Open Source Insights

Documentation ¶

Overview ¶

Package secrets provides an interface for a simple secret store: you ask it for a secret (a byte blob, identifies by some key), and it returns it to you (current version, as well as a bunch of previous versions). Caller are supposed to use the secret for an operation and then forget it (e.g. do not try to store it elsewhere).

Secure storage, retrieval and rotation of secrets is outside of the scope of this interface: it's the responsibility of the implementation.

Index ¶

Variables
func Set(c context.Context, s Store) context.Context
func SetFactory(c context.Context, f Factory) context.Context
type DerivedStore
- func NewDerivedStore(root Secret) *DerivedStore
- func (d *DerivedStore) GetSecret(name string) (Secret, error)
- func (d *DerivedStore) SetRoot(root Secret)
type Factory
type Secret
- func GetSecret(c context.Context, key string) (Secret, error)
- func (s Secret) Blobs() [][]byte
- func (s Secret) Equal(a Secret) bool
type StaticStore
- func (s StaticStore) GetSecret(k string) (Secret, error)
type Store
- func Get(c context.Context) Store

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrNoStoreConfigured is returned by GetSecret if secret store is not in
	// the context.
	ErrNoStoreConfigured = errors.New("secrets.Store is not in the context")
)

View Source

var (
	// ErrNoSuchSecret is returned by Store.GetSecret if it can't find a secret.
	ErrNoSuchSecret = errors.New("secret not found")
)

Functions ¶

func Set ¶

func Set(c context.Context, s Store) context.Context

Set injects the Store object in the context to be returned by Get as is.

func SetFactory ¶

func SetFactory(c context.Context, f Factory) context.Context

SetFactory sets the function to produce Store instances when Get(c) is used.

Types ¶

type DerivedStore ¶

type DerivedStore struct {
	// contains filtered or unexported fields
}

DerivedStore implements Store by deriving secrets from some single master secret using HKDF.

Caches all derived secrets internally forever. Assumes the set of possible key names is limited.

func NewDerivedStore ¶

func NewDerivedStore(root Secret) *DerivedStore

NewDerivedStore returns a store that derives secrets from the given root key.

func (*DerivedStore) GetSecret ¶

func (d *DerivedStore) GetSecret(name string) (Secret, error)

GetSecret returns a generated secret given its key.

func (*DerivedStore) SetRoot ¶

func (d *DerivedStore) SetRoot(root Secret)

SetRoot replaces the root key used to derive secrets.

type Factory ¶

type Factory func(context.Context) Store

Factory knows how to make a new Store.

type Secret ¶

type Secret struct {
	Current  []byte   `json:"current"`            // current value of the secret, always set
	Previous [][]byte `json:"previous,omitempty"` // optional list of previous values, most recent first
}

Secret represents a current value of a secret as well as a set of few previous values. Previous values are important when key is being rotated: there may be valid outstanding derivatives of previous values of the secret.

func GetSecret ¶

func GetSecret(c context.Context, key string) (Secret, error)

GetSecret is a shortcut for grabbing a Store from the context and using its GetSecret method.

If the context doesn't have Store set, returns ErrNoStoreConfigured.

func (Secret) Blobs ¶

func (s Secret) Blobs() [][]byte

Blobs returns current blob and all previous blobs as one array.

func (Secret) Equal ¶

func (s Secret) Equal(a Secret) bool

Equal returns true if secrets are equal.

Does *not* run in constant time. Shouldn't be used in a cryptographic context due to susceptibility to timing attacks.

type StaticStore ¶

type StaticStore map[string]Secret

StaticStore is Store with predefined secrets.

func (StaticStore) GetSecret ¶

func (s StaticStore) GetSecret(k string) (Secret, error)

GetSecret returns a secret given its key or ErrNoSuchSecret if no such secret exists.

The caller must not mutate the secret.

type Store ¶

type Store interface {
	// GetSecret returns a secret given its key.
	//
	// Store may choose to autogenerate a secret if there's no existing one, or it
	// may choose to treat it as a error and return ErrNoSuchSecret.
	GetSecret(name string) (Secret, error)
}

Store knows how to retrieve (or autogenerate) a secret given its key.

func Get ¶

func Get(c context.Context) Store

Get grabs a Store by calling Factory stored in the context. If one hasn't been set, it returns nil.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
testsecrets Package testsecrets provides a dumb in-memory secret store to use in unit tests.	Package testsecrets provides a dumb in-memory secret store to use in unit tests.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL