luci: Index | Files | Directories

package secrets

import ""

Package secrets provides an interface for a simple secret store: you ask it for a secret (a byte blob, identifies by some key), and it returns it to you (current version, as well as a bunch of previous versions). Caller are supposed to use the secret for an operation and then forget it (e.g. do not try to store it elsewhere).

Secure storage, retrieval and rotation of secrets is outside of the scope of this interface: it's the responsibility of the implementation.


Package Files

context.go doc.go secrets.go


var (
    // ErrNoStoreConfigured is returned by GetSecret if secret store is not in
    // the context.
    ErrNoStoreConfigured = errors.New("secrets.Store is not in the context")
var (
    // ErrNoSuchSecret is returned by Store.GetSecret if it can't find a secret.
    ErrNoSuchSecret = errors.New("secret not found")

func Set Uses

func Set(c context.Context, s Store) context.Context

Set injects the Store object in the context to be returned by Get as is.

func SetFactory Uses

func SetFactory(c context.Context, f Factory) context.Context

SetFactory sets the function to produce Store instances when Get(c) is used.

type Factory Uses

type Factory func(context.Context) Store

Factory knows how to make a new Store.

type Key Uses

type Key string

Key names a secret.

type NamedBlob Uses

type NamedBlob struct {
    ID   string // short human readable URL safe string
    Blob []byte // actual secret blob, size depends on Store implementation

NamedBlob is byte buffer with an ID string that identifies this particular version of the secret.

func (NamedBlob) Clone Uses

func (b NamedBlob) Clone() NamedBlob

Clone makes a deep copy of the NamedBlob.

type Secret Uses

type Secret struct {
    Current  NamedBlob   // current value of the secret, always set
    Previous []NamedBlob // optional list of previous values, most recent first

Secret represents a current value of a secret as well as a set of few previous values. Previous values are important when key is being rotated: there may be valid outstanding derivatives of previous values of the secret.

Each value (current and previous) have an identifier that can be put into derived messages to name specific version of the value.

func GetSecret Uses

func GetSecret(c context.Context, k Key) (Secret, error)

GetSecret is shortcut for grabbing a Store from the context and using its GetSecret method. If the context doesn't have Store set, returns ErrNoStoreConfigured.

func (Secret) Blobs Uses

func (s Secret) Blobs() []NamedBlob

Blobs returns current blob and all previous blobs as one array.

func (Secret) Clone Uses

func (s Secret) Clone() Secret

Clone makes a deep copy of the Secret.

type StaticStore Uses

type StaticStore map[Key]Secret

StaticStore is Store with predefined secrets.

func (StaticStore) GetSecret Uses

func (s StaticStore) GetSecret(k Key) (Secret, error)

GetSecret returns a copy of a secret given its key or ErrNoSuchSecret if no such secret.

type Store Uses

type Store interface {
    // GetSecret returns a secret given its key. Store may choose to autogenerate
    // a secret if there's no existing one, or it may choose to treat it as a
    // error and return ErrNoSuchSecret. Returned secret is always a mutable copy
    // of an actual secret in the Store's gut (just a precaution against
    // unintended modifications of arrays that back all byte blobs).
    GetSecret(Key) (Secret, error)

Store knows how to retrieve (or autogenerate) a secret given its key.

func Get Uses

func Get(c context.Context) Store

Get grabs a Store by calling Factory stored in the context. If one hasn't been set, it returns nil.


testsecretsPackage testsecrets provides a dumb in-memory secret store to use in unit tests.

Package secrets imports 2 packages (graph) and is imported by 6 packages. Updated 2019-04-20. Refresh now. Tools for package owners.