exposure-notifications-server: github.com/google/exposure-notifications-server/pkg/secrets Index | Files

package secrets

import "github.com/google/exposure-notifications-server/pkg/secrets"

Package secrets defines a minimum abstract interface for a secret manager. Allows for a different implementation to be bound within the ServeEnv.

Although exported, this package is non intended for general consumption. It is a shared dependency between multiple exposure notifications projects. We cannot guarantee that there won't be breaking changes in the future.

Index

Package Files

aws_secrets_manager.go azure_keyvault.go cacher.go config.go google_secret_manager.go hashicorp_vault.go in_memory.go json_expander.go resolver.go secrets.go

Constants

const (
    // SecretPrefix is the prefix, that if the value of an env var starts with
    // will be resolved through the configured secret store.
    SecretPrefix = "secret://"

    // FileSuffix is the suffix to use, if this secret path should be written to a file.
    // only interpreted on environment variable values that start w/ secret://
    FileSuffix = "?target=file"
)

func Resolver Uses

func Resolver(sm SecretManager, config *Config) envconfig.MutatorFunc

Resolver returns a function that fetches secrets from the secret manager. If the provided secret manager is nil, the function is nil, Otherwise, it looks for values prefixed with secret:// and resolves them as secrets. For slice functions, values separated by commas are processed as individual secrets.

type AWSSecretsManager Uses

type AWSSecretsManager struct {
    // contains filtered or unexported fields
}

AWSSecretsManager implements SecretManager.

func (*AWSSecretsManager) GetSecretValue Uses

func (sm *AWSSecretsManager) GetSecretValue(ctx context.Context, name string) (string, error)

GetSecretValue implements the SecretManager interface. Secret names should be of the format:

SECRET@VERSION#STAGE

Where:

- SECRET is the name or ARN of the secret
- VERSION is the version ID (default: "")
- Stage is the stage (one of AWSCURRENT or AWSPREVIOUS, default: "")

Secrets are expected to be string plaintext values (not JSON, YAML, key-value, etc).

type AzureKeyVault Uses

type AzureKeyVault struct {
    // contains filtered or unexported fields
}

AzureKeyVault implements SecretManager.

func (*AzureKeyVault) GetSecretValue Uses

func (kv *AzureKeyVault) GetSecretValue(ctx context.Context, name string) (string, error)

GetSecretValue implements the SecretManager interface. Secrets are specified in the format:

AZURE_KEY_VAULT_NAME/SECRET_NAME/SECRET_VERSION

For example:

my-company-vault/api-key/1

If the secret version is omitted, the latest version is used.

type Cacher Uses

type Cacher struct {
    // contains filtered or unexported fields
}

Cacher is a secret manager implementation that wraps another secret manager and caches secret values.

func (*Cacher) GetSecretValue Uses

func (sm *Cacher) GetSecretValue(ctx context.Context, name string) (string, error)

GetSecretValue implements the SecretManager interface, but caches values and retrieves them from the cache.

type Config Uses

type Config struct {
    SecretManagerType SecretManagerType `env:"SECRET_MANAGER, default=GOOGLE_SECRET_MANAGER"`
    SecretsDir        string            `env:"SECRETS_DIR, default=/var/run/secrets"`
    SecretCacheTTL    time.Duration     `env:"SECRET_CACHE_TTL, default=5m"`
    SecretExpansion   bool              `env:"SECRET_EXPANSION, default=false"`
}

Config represents the config for a secret manager.

type GoogleSecretManager Uses

type GoogleSecretManager struct {
    // contains filtered or unexported fields
}

GoogleSecretManager implements SecretManager.

func (*GoogleSecretManager) GetSecretValue Uses

func (sm *GoogleSecretManager) GetSecretValue(ctx context.Context, name string) (string, error)

GetSecretValue implements the SecretManager interface. Secret names should be of the format:

projects/my-project/secrets/my-secret/versions/123

type HashiCorpVault Uses

type HashiCorpVault struct {
    // contains filtered or unexported fields
}

func (*HashiCorpVault) GetSecretValue Uses

func (kv *HashiCorpVault) GetSecretValue(ctx context.Context, name string) (string, error)

GetSecretValue implements the SecretManager interface. Secrets are specified as the path to the secret in Vault. Secrets are expected to have the string value for the secret in a key named "value" in the "data" key. This matches the schema returned by the KVv2 secrets engine:

$ vault secrets enable -version=2 kv
$ vault kv put my-secret value="abc123"

For example:

/secret/data/my-secret #=> { "data": { "value": "dajkfl32ip2" } }

Note: this technically allows you to fetch dynamic secrets, but this library makes no attempt at renewing leases!

type InMemory Uses

type InMemory struct {
    // contains filtered or unexported fields
}

InMemory is an in-memory secret manager, primarily used for testing.

func (*InMemory) GetSecretValue Uses

func (m *InMemory) GetSecretValue(_ context.Context, k string) (string, error)

GetSecretValue returns the secret if it exists, otherwise an error.

type JSONExpander Uses

type JSONExpander struct {
    // contains filtered or unexported fields
}

func (*JSONExpander) GetSecretValue Uses

func (sm *JSONExpander) GetSecretValue(ctx context.Context, name string) (string, error)

GetSecretValue implements the SecretManager interface, but allows for json-expansion of the secret-value. If the secret name contains a period, the secret value is expected to be json. The secret name is assumed to come before the period, while the map-key is expected to follow.

For example: If a secret with a name of "psqlcreds" has a value of `{"username":"gandalf", "password":"abc"}` When GetSecretValue(ctx, "psqlcreds") is called, the raw json value will be returned. When GetSecretValue(ctx, "psql.username") is called, only "gandalf" (without quotes) will be returned.

type SecretManager Uses

type SecretManager interface {
    GetSecretValue(ctx context.Context, name string) (string, error)
}

SecretManager defines the minimum shared functionality for a secret manager used by this application.

func NewAWSSecretsManager Uses

func NewAWSSecretsManager(ctx context.Context) (SecretManager, error)

NewAWSSecretsManager creates a new secret manager for AWS. Configuration is provided via the standard AWS environment variables.

func NewAzureKeyVault Uses

func NewAzureKeyVault(ctx context.Context) (SecretManager, error)

NewAzureKeyVault creates a new KeyVault that can interact fetch secrets.

func NewCacher Uses

func NewCacher(ctx context.Context, f SecretManagerFunc, ttl time.Duration) (SecretManager, error)

NewCacher creates a new secret manager that caches results for the given ttl.

func NewGoogleSecretManager Uses

func NewGoogleSecretManager(ctx context.Context) (SecretManager, error)

NewGoogleSecretManager creates a new secret manager for GCP.

func NewHashiCorpVault Uses

func NewHashiCorpVault(ctx context.Context) (SecretManager, error)

NewHashiCorpVault fetches secrets from HashiCorp Vault.

func NewInMemory Uses

func NewInMemory(ctx context.Context) (SecretManager, error)

NewInMemory creates a new in-memory secret manager.

func NewInMemoryFromMap Uses

func NewInMemoryFromMap(ctx context.Context, m map[string]string) (SecretManager, error)

NewInMemoryFromMap creates a new in-memory secret manager from the map.

func NewJSONExpander Uses

func NewJSONExpander(ctx context.Context, f SecretManagerFunc) (SecretManager, error)

NewJSONExpander creates a new secret manager that allows secret values to be stored as json. When resolving secrets, if "dot-notation" is provided via the secret-name, the secret value will be json-decoded and the dot-notation will be used to resolve the secret value.

func SecretManagerFor Uses

func SecretManagerFor(ctx context.Context, typ SecretManagerType) (SecretManager, error)

SecretManagerFor returns the secret manager for the given type, or an error if one does not exist.

func WrapCacher Uses

func WrapCacher(ctx context.Context, sm SecretManager, ttl time.Duration) (SecretManager, error)

WrapCacher wraps an existing SecretManager with caching.

func WrapJSONExpander Uses

func WrapJSONExpander(ctx context.Context, sm SecretManager) (SecretManager, error)

WrapJSONExpander wraps an existing SecretManager with json-expansion logic.

type SecretManagerFunc Uses

type SecretManagerFunc func(ctx context.Context) (SecretManager, error)

SecretManagerFunc is a func that returns a secret manager or error.

type SecretManagerType Uses

type SecretManagerType string

SecretManagerType represents a type of secret manager.

const (
    SecretManagerTypeAWSSecretsManager    SecretManagerType = "AWS_SECRETS_MANAGER"
    SecretManagerTypeAzureKeyVault        SecretManagerType = "AZURE_KEY_VAULT"
    SecretManagerTypeGoogleHashiCorpVault SecretManagerType = "HASHICORP_VAULT"
    SecretManagerTypeGoogleSecretManager  SecretManagerType = "GOOGLE_SECRET_MANAGER"
    SecretManagerTypeInMemory             SecretManagerType = "IN_MEMORY"
)

Package secrets imports 22 packages (graph) and is imported by 12 packages. Updated 2020-09-27. Refresh now. Tools for package owners.