secrets

package

v1.0.0 Latest Latest Go to latest Published: Jan 28, 2026 License: MIT Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/R3E-Network/service_layer

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type Manager
- func NewManager(repo Repository, rawKey []byte) (*Manager, error)
- func (m *Manager) GetSecretForService(ctx context.Context, userID, name, serviceID string, strict bool) (string, error)
type Provider
type Repository
type ServiceProvider
- func (p ServiceProvider) GetSecret(ctx context.Context, userID, name string) (string, error)

Constants ¶

View Source

const MasterKeyEnv = "SECRETS_MASTER_KEY"

MasterKeyEnv is the shared env var name used by Supabase Edge and enclave services for secret encryption/decryption.

Variables ¶

View Source

var (
	// ErrNotFound indicates the secret does not exist for the given user/name.
	ErrNotFound = errors.New("secret not found")
	// ErrForbidden indicates the caller's service ID is not allowed to access the secret.
	ErrForbidden = errors.New("secret access forbidden")
	// ErrInvalidCiphertext indicates the stored secret cannot be decrypted.
	ErrInvalidCiphertext = errors.New("invalid secret ciphertext")
)

Functions ¶

This section is empty.

Types ¶

type Manager ¶

type Manager struct {
	// contains filtered or unexported fields
}

func NewManager ¶

func NewManager(repo Repository, rawKey []byte) (*Manager, error)

func (*Manager) GetSecretForService ¶

func (m *Manager) GetSecretForService(ctx context.Context, userID, name, serviceID string, strict bool) (string, error)

type Provider ¶

type Provider interface {
	GetSecret(ctx context.Context, userID, name string) (string, error)
}

Provider resolves decrypted secret values for a given user.

Implementations must enforce per-user ownership and any per-secret policy constraints (allowed services), because the enclave services treat the returned value as sensitive and must not fetch secrets they are not entitled to.

type Repository ¶

type Repository interface {
	GetSecretByName(ctx context.Context, userID, name string) (*secretssupabase.Secret, error)
	GetAllowedServices(ctx context.Context, userID, secretName string) ([]string, error)
	CreateAuditLog(ctx context.Context, log *secretssupabase.AuditLog) error
}

type ServiceProvider ¶

type ServiceProvider struct {
	Manager   *Manager
	ServiceID string
}

ServiceProvider is the standard Provider implementation used by enclave services.

It enforces per-secret allowlists (secret_policies) using the service ID and decrypts secrets using the configured Manager.

func (ServiceProvider) GetSecret ¶

func (p ServiceProvider) GetSecret(ctx context.Context, userID, name string) (string, error)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
supabase Package supabase provides Secrets-specific database operations.	Package supabase provides Secrets-specific database operations.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL