secrets

package module
v0.0.0-...-a17cf7f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2024 License: Apache-2.0 Imports: 4 Imported by: 40

README

secrets

Openstorage support for Key Management Systems

Documentation

Index

Constants

View Source 
const (
	SecretPath = "/var/lib/osd/secrets/"
	// CustomSecretData is a constant used in the key context of the secrets APIs
	// It indicates that the secret provider should not generate secret but use the provided secret
	// in the API
	CustomSecretData = "custom_secret_data"
	// PublicSecretData is a constant used in the key context of Secret APIs
	// It indicates that the API is dealing with the public part of a secret instead
	// of the actual secret
	PublicSecretData = "public_secret_data"
	// OverwriteSecretDataInStore is a constant used in the key context of Secret APIs
	// It indicates whether the secret data stored in the persistent store can
	// be overwritten
	OverwriteSecretDataInStore = "overwrite_secret_data_in_store"
)
View Source 
const (
	TypeAWSKMS            = "aws-kms"
	TypeAzure             = "azure-kv"
	TypeDCOS              = "dcos"
	TypeDocker            = "docker"
	TypeGCloud            = "gcloud-kms"
	TypeIBM               = "ibm-kp"
	TypeK8s               = "k8s"
	TypeKVDB              = "kvdb"
	TypeVault             = "vault"
	TypeVaultTransit      = "vault-transit"
	TypeAWSSecretsManager = "aws-secrets-manager"
)
View Source 
const (
	// KeyVaultNamespace is a keyContext parameter for vault secrets.
	KeyVaultNamespace = "vault-namespace"

	// DestroySecret is a keyContext parameter for Vault secrets indicating whether the Secret should be destroyed
	// This is only valid when Vault's KV Secret Engine is running on version 2 since by default keys are versioned and soft-deleted
	// Activating this will PERMANENTLY delete all metadata and versions for a key
	DestroySecret = "destroy-all-secret-versions"
)

Variables

View Source 
var (
	// ErrNotSupported returned when implementation of specific function is not supported
	ErrNotSupported = errors.New("implementation not supported")
	// ErrNotAuthenticated returned when not authenticated with secrets endpoint
	ErrNotAuthenticated = errors.New("Not authenticated with the secrets endpoint")
	// ErrInvalidSecretId returned when no secret data is found associated with the id
	ErrInvalidSecretId = errors.New("No Secret Data found for Secret ID")
	// ErrEmptySecretData returned when no secret data is provided to store the secret
	ErrEmptySecretData = errors.New("Secret data cannot be empty")
	// ErrEmptySecretId returned when no secret Name/ID is provided to retrive secret data
	ErrEmptySecretId = errors.New("Secret Name/ID cannot be empty")
	// ErrSecretExists returned when a secret for the given secret id already exists
	ErrSecretExists = errors.New("Secret Id already exists")
	// ErrInvalidSecretData is returned when no secret data is found
	ErrInvalidSecretData = errors.New("Secret Data cannot be empty when CustomSecretData|PublicSecretData flag is set")
	// ErrInvalidKvdbProvided is returned when an incorrect KVDB implementation is provided for persistence store.
	ErrInvalidKvdbProvided = errors.New("Invalid kvdb provided. secret store works in conjuction with a kvdb")
)

Functions

func KeyContextChecks 

func KeyContextChecks(
	keyContext map[string]string,
	secretData map[string]interface{},
) error

KeyContextChecks performs a series of checks on the keys and values passed through the key context map

func Register 

func Register(name string, bInit BackendInit) error

Register adds a new backend KMS

func RegisterReader 

func RegisterReader(name string, init ReaderInit) error

RegisterReader adds a new backend KMS that implements SecretReader

func RegisterStore 

func RegisterStore(name string, init StoreInit) error

RegisterStore adds a new backend KMS that implements SecretStore and SecretReader

func SetInstance 

func SetInstance(secretsInstance Secrets) error

SetInstance sets the singleton instance of the secrets backend.

Types

type BackendInit 

type BackendInit func(
	secretConfig map[string]interface{},
) (Secrets, error)

type ErrInvalidKeyContext 

type ErrInvalidKeyContext struct {
	Reason string
}

ErrInvalidKeyContext is returned when secret data is provided to the secret APIs with an invalid key context.

func (*ErrInvalidKeyContext) Error 

func (e *ErrInvalidKeyContext) Error() string

type ErrProviderInternal 

type ErrProviderInternal struct {
	Provider string
	Reason   string
}

ErrProviderInternal is returned when an error is received from the secrets provider which is not known to this library

func (*ErrProviderInternal) Error 

func (e *ErrProviderInternal) Error() string

type ReaderInit 

type ReaderInit func(map[string]interface{}) (SecretReader, error)

type SecretKey 

type SecretKey struct {
	// Prefix is an optional part of the SecretKey.
	Prefix string
	// Name is a mandatory part of the SecretKey.
	Name string
}

A SecretKey identifies a secret

type SecretReader 

type SecretReader interface {
	// String representation of the backend.
	String() string
	// Get returns the secret associate with the supplied key.
	Get(ctx context.Context, key SecretKey) (secret map[string]interface{}, err error)
}

SecretReader interface implemented by Secrets Managers to read secrets

func NewReader 

func NewReader(name string, secretConfig map[string]interface{}) (SecretReader, error)

NewReader returns a new instance of SecretReader backend SM identified by the supplied name. SecretConfig is a map of key value pairs which could be used for authenticating with the backend

type SecretStore 

type SecretStore interface {
	SecretReader
	// Set stores the secret data identified by the key.
	// The caller should ensure they use unique key so that they won't
	// unknowingly overwrite an existing secret.
	Set(ctx context.Context, key SecretKey, secret map[string]interface{}) error
	// Delete deletes the secret data associated with the supplied key.
	Delete(ctx context.Context, key SecretKey) error
}

SecretStore interface implemented by Secrets Managers to set and delete secrets.

func NewStore 

func NewStore(name string, secretConfig map[string]interface{}) (SecretStore, error)

NewStore returns a new instance of SecretStore backend SM identified by the supplied name. SecretConfig is a map of key value pairs which could be used for authenticating with the backend

type Secrets 

type Secrets interface {
	// String representation of the backend KMS
	String() string

	// GetSecret returns the secret data associated with the
	// supplied secretId. The secret data / plain text  can be used
	// by callers to encrypt their data. It is assumed that the plain text
	// data will be destroyed by the caller once used.
	GetSecret(
		secretId string,
		keyContext map[string]string,
	) (map[string]interface{}, Version, error)

	// PutSecret will associate an secretId to its secret data
	// provided in the arguments and store it into the secret backend
	// The caller should ensure they use unique secretIDs so that they won't
	// unknowingly overwrite an existing secret.
	PutSecret(
		secretId string,
		plainText map[string]interface{},
		keyContext map[string]string,
	) (Version, error)

	// DeleteSecret deletes the secret data associated with the
	// supplied secretId.
	DeleteSecret(
		secretId string,
		keyContext map[string]string,
	) error

	// Encrypt encrypts the supplied plain text data using the given key.
	// The API would fetch the plain text key, encrypt the data with it.
	// The plain text key will not be stored anywhere else and would be
	// deleted from memory.
	Encrypt(
		secretId string,
		plaintTextData string,
		keyContext map[string]string,
	) (string, error)

	// Decrypt decrypts the supplied encrypted  data using the given key.
	// The API would fetch the plain text key, decrypt the data with it.
	// The plain text key will not be stored anywhere else and would be
	// deleted from memory.
	Decrypt(
		secretId string,
		encryptedData string,
		keyContext map[string]string,
	) (string, error)

	// Reencrypt decrypts the data with the previous key and re-encrypts it
	// with the new key..
	Rencrypt(
		originalSecretId string,
		newSecretId string,
		originalKeyContext map[string]string,
		newKeyContext map[string]string,
		encryptedData string,
	) (string, error)

	// ListSecrets returns a list of known secretIDs
	ListSecrets() ([]string, error)
}

Secrets interface implemented by backend Key Management Systems (KMS)

func Instance 

func Instance() Secrets

Instance returns the instance set via SetInstance. nil if not set.

func New 

func New(
	name string,
	secretConfig map[string]interface{},
) (Secrets, error)

New returns a new instance of Secrets backend KMS identified by the supplied name. SecretConfig is a map of key value pairs which could be used for authenticating with the backend

type StoreInit 

type StoreInit func(map[string]interface{}) (SecretStore, error)

type Version 

type Version string

Version represents the unique identifier associated with the version of the new secret. 

const (
	// NoVersion indicates that the provider does not support versions for secrets
	NoVersion Version = "noversion"
)

Source Files

View all Source files

Directories

Path Synopsis
aws
aws_kms
aws_secrets_manager
credentials
utils
mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
pkg
store
utils
client/transit

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.