commands

package
v0.29.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 27, 2026 License: MIT Imports: 29 Imported by: 0

Documentation

Overview

Package commands contains CLI command implementations for the application.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CloseContainer added in v0.23.0 

func CloseContainer(container *app.Container, logger *slog.Logger)

CloseContainer closes all resources in the container and logs any errors.

func CloseMigrate added in v0.23.0 

func CloseMigrate(migrate *migrate.Migrate, logger *slog.Logger)

CloseMigrate closes the migration instance and logs any errors.

func ExecuteWithContainer added in v0.23.0 

func ExecuteWithContainer(
	ctx context.Context,
	fn func(ctx context.Context, container *app.Container) error,
) error

ExecuteWithContainer encapsulates the standard CLI command execution pattern: loading configuration, initializing the DI container, and ensuring graceful shutdown.

func ParseAlgorithm added in v0.23.0 

func ParseAlgorithm(algorithmStr string) (keyring.Algorithm, error)

ParseAlgorithm converts algorithm string to keyring.Algorithm type.

func ParseFormatType added in v0.23.0 

func ParseFormatType(formatType string) (tokenizationDomain.FormatType, error)

ParseFormatType converts format type string to tokenizationDomain.FormatType.

func RunCleanAuditLogs added in v0.2.0 

func RunCleanAuditLogs(
	ctx context.Context,
	auditLogUseCase authUseCase.AuditLogUseCase,
	logger *slog.Logger,
	writer io.Writer,
	days int,
	dryRun bool,
	format string,
) error

RunCleanAuditLogs deletes audit logs older than the specified number of days. Supports dry-run mode and multiple output formats.

func RunCleanExpiredTokens added in v0.4.0 

func RunCleanExpiredTokens(
	ctx context.Context,
	tokenizationUseCase tokenizationUseCase.TokenizationUseCase,
	bm metrics.BusinessMetrics,
	logger *slog.Logger,
	writer io.Writer,
	days int,
	dryRun bool,
	format string,
) error

RunCleanExpiredTokens deletes expired tokens older than the specified number of days. Supports dry-run mode and multiple output formats.

func RunCreateClient 

func RunCreateClient(
	ctx context.Context,
	clientUseCase authUseCase.ClientUseCase,
	logger *slog.Logger,
	name string,
	isActive bool,
	policiesJSON string,
	format string,
	io IOTuple,
) error

RunCreateClient creates a new authentication client with policies. Supports both interactive mode (when policiesJSON is empty) and non-interactive mode (when policiesJSON is provided).

func RunCreateKek 

func RunCreateKek(
	ctx context.Context,
	kekUseCase keyring.KekUseCase,
	masterKeyChain *keyring.MasterKeyChain,
	logger *slog.Logger,
	algorithmStr string,
) error

RunCreateKek creates a new Key Encryption Key (KEK) and encrypts it with the master key. The new KEK will be stored in the database and marked as active for its algorithm.

func RunCreateMasterKey 

func RunCreateMasterKey(
	ctx context.Context,
	kmsService keyring.KMSService,
	logger *slog.Logger,
	writer io.Writer,
	keyID string,
	kmsProvider string,
	kmsKeyURI string,
) error

RunCreateMasterKey generates a cryptographically secure 32-byte master key for envelope encryption. Creates the root key used to encrypt all KEKs. Key material is zeroed from memory after encoding. If keyID is empty, generates a default ID in format "master-key-YYYY-MM-DD".

KMS parameters (kmsProvider and kmsKeyURI) are required. The master key is encrypted with KMS before output. For local development, use kmsProvider="localsecrets" with kmsKeyURI="base64key://...".

Output format:

  • MASTER_KEYS="<keyID>:<base64-encoded-kms-ciphertext>"
  • KMS_PROVIDER="<provider>"
  • KMS_KEY_URI="<uri>"

Security: Never use localsecrets provider in production. Use cloud KMS providers (gcpkms, awskms, azurekeyvault).

func RunCreateTokenizationKey added in v0.4.0 

func RunCreateTokenizationKey(
	ctx context.Context,
	tokenizationKeyUseCase tokenizationUseCase.TokenizationKeyUseCase,
	logger *slog.Logger,
	name string,
	formatTypeStr string,
	isDeterministic bool,
	algorithmStr string,
) error

RunCreateTokenizationKey creates a new tokenization key with the specified parameters. Should be run during initial setup or when adding new tokenization formats.

func RunMigrations 

func RunMigrations(logger *slog.Logger, dbConnectionString string) error

RunMigrations executes all pending PostgreSQL database migrations. Returns nil if no migrations apply. Logs migration progress and success.

func RunMigrationsDown added in v0.25.0 

func RunMigrationsDown(logger *slog.Logger, dbConnectionString string, steps int) error

RunMigrationsDown rolls back PostgreSQL database migrations. Returns nil if no migrations rollback. Logs migration progress and success.

func RunPurgeAuthTokens added in v0.27.0 

func RunPurgeAuthTokens(
	ctx context.Context,
	tokenUseCase usecase.TokenUseCase,
	bm metrics.BusinessMetrics,
	logger *slog.Logger,
	writer io.Writer,
	days int,
	dryRun bool,
	format string,
) error

RunPurgeAuthTokens deletes expired and revoked authentication tokens older than the specified number of days. Supports dry-run mode (if implemented in usecase) and multiple output formats.

func RunPurgeSecrets added in v0.25.0 

func RunPurgeSecrets(
	ctx context.Context,
	secretUseCase secretsUseCase.SecretUseCase,
	bm metrics.BusinessMetrics,
	logger *slog.Logger,
	writer io.Writer,
	days int,
	dryRun bool,
	format string,
) error

RunPurgeSecrets permanently deletes soft-deleted secrets older than the specified number of days. Supports dry-run mode and multiple output formats.

func RunPurgeTokenizationKeys added in v0.26.0 

func RunPurgeTokenizationKeys(
	ctx context.Context,
	tokenizationUseCase tokenizationUseCase.TokenizationKeyUseCase,
	bm metrics.BusinessMetrics,
	logger *slog.Logger,
	writer io.Writer,
	days int,
	dryRun bool,
	format string,
) error

RunPurgeTokenizationKeys permanently deletes soft-deleted tokenization keys and their tokens older than the specified number of days. Supports dry-run mode and multiple output formats.

func RunPurgeTransitKeys added in v0.26.0 

func RunPurgeTransitKeys(
	ctx context.Context,
	transitUseCase transitUseCase.TransitKeyUseCase,
	bm metrics.BusinessMetrics,
	logger *slog.Logger,
	writer io.Writer,
	days int,
	dryRun bool,
	format string,
) error

RunPurgeTransitKeys permanently deletes soft-deleted transit keys older than the specified number of days. Supports dry-run mode and multiple output formats.

func RunRewrapDeks added in v0.12.0 

func RunRewrapDeks(
	ctx context.Context,
	kr keyring.Keyring,
	logger *slog.Logger,
	kekIDStr string,
	batchSize int,
) error

RunRewrapDeks finds DEKs not encrypted with the keyring's active KEK and rewraps them in batches. The kekIDStr argument is a safety check: it must match the keyring's currently-active KEK, so an operator cannot accidentally rewrap DEKs against a stale chain.

func RunRotateClientSecret added in v0.28.0 

func RunRotateClientSecret(
	ctx context.Context,
	clientUseCase authUseCase.ClientUseCase,
	logger *slog.Logger,
	writer io.Writer,
	id string,
	format string,
) error

RunRotateClientSecret generates a new secret for a client and revokes all its active tokens.

func RunRotateKek 

func RunRotateKek(
	ctx context.Context,
	kekUseCase keyring.KekUseCase,
	masterKeyChain *keyring.MasterKeyChain,
	logger *slog.Logger,
	algorithmStr string,
) error

RunRotateKek rotates the Key Encryption Key (KEK) for a specific algorithm. Generates a new KEK version and marks it as active. Existing secrets encrypted with old KEKs remain valid until rewrapped.

func RunRotateMasterKey added in v0.6.0 

func RunRotateMasterKey(
	ctx context.Context,
	kmsService keyring.KMSService,
	logger *slog.Logger,
	writer io.Writer,
	keyID, kmsProvider, kmsKeyURI, existingMasterKeys, existingActiveKeyID string,
) error

func RunRotateTokenizationKey added in v0.4.0 

func RunRotateTokenizationKey(
	ctx context.Context,
	tokenizationKeyUseCase tokenizationUseCase.TokenizationKeyUseCase,
	logger *slog.Logger,
	name string,
	formatTypeStr string,
	isDeterministic bool,
	algorithmStr string,
) error

RunRotateTokenizationKey rotates an existing tokenization key to a new version. Updates format and deterministic settings. Existing tokens remain valid until rotated.

func RunServer 

func RunServer(ctx context.Context, version string) error

RunServer starts the HTTP server with graceful shutdown support. Loads configuration, initializes the DI container, and starts the Gin HTTP server. Blocks until receiving SIGINT/SIGTERM or encountering a fatal error. On shutdown signal, gracefully stops the server within DBConnMaxLifetime timeout.

func RunUpdateClient 

func RunUpdateClient(
	ctx context.Context,
	clientUseCase authUseCase.ClientUseCase,
	logger *slog.Logger,
	io IOTuple,
	clientIDStr string,
	name string,
	isActive bool,
	policiesJSON string,
	format string,
) error

RunUpdateClient updates an existing authentication client's configuration. Supports both interactive mode (when policiesJSON is empty) and non-interactive mode (when policiesJSON is provided).

func RunVerifyAuditLogs added in v0.9.0 

func RunVerifyAuditLogs(
	ctx context.Context,
	auditLogUseCase authUseCase.AuditLogUseCase,
	logger *slog.Logger,
	writer io.Writer,
	startDateStr, endDateStr string,
	format string,
) error

RunVerifyAuditLogs verifies cryptographic integrity of audit logs within a time range.

func WriteOutput added in v0.23.0 

func WriteOutput(writer io.Writer, format string, data Formatter)

WriteOutput writes the formatted data to the provided writer based on the specified format.

Types

type CleanAuditLogsResult added in v0.23.0 

type CleanAuditLogsResult struct {
	Count  int64 `json:"count"`
	Days   int   `json:"days"`
	DryRun bool  `json:"dry_run"`
}

CleanAuditLogsResult holds the result of the audit log cleanup operation.

func (*CleanAuditLogsResult) ToJSON added in v0.23.0 

func (r *CleanAuditLogsResult) ToJSON() string

ToJSON returns a JSON representation of the cleanup result.

func (*CleanAuditLogsResult) ToText added in v0.23.0 

func (r *CleanAuditLogsResult) ToText() string

ToText returns a human-readable representation of the cleanup result.

type CleanExpiredTokensResult added in v0.23.0 

type CleanExpiredTokensResult struct {
	Count  int64 `json:"count"`
	Days   int   `json:"days"`
	DryRun bool  `json:"dry_run"`
}

CleanExpiredTokensResult holds the result of the expired token cleanup operation.

func (*CleanExpiredTokensResult) ToJSON added in v0.23.0 

func (r *CleanExpiredTokensResult) ToJSON() string

ToJSON returns a JSON representation of the cleanup result.

func (*CleanExpiredTokensResult) ToText added in v0.23.0 

func (r *CleanExpiredTokensResult) ToText() string

ToText returns a human-readable representation of the cleanup result.

type CreateClientResult added in v0.23.0 

type CreateClientResult struct {
	ID string `json:"client_id"`
	// #nosec G117
	PlainSecret string `json:"secret"`
}

CreateClientResult holds the result of the client creation operation.

func (*CreateClientResult) ToJSON added in v0.23.0 

func (r *CreateClientResult) ToJSON() string

ToJSON returns a JSON representation of the creation result.

func (*CreateClientResult) ToText added in v0.23.0 

func (r *CreateClientResult) ToText() string

ToText returns a human-readable representation of the creation result.

type Formatter added in v0.23.0 

type Formatter interface {
	ToText() string
	ToJSON() string
}

Formatter defines the interface for data that can be output in multiple formats.

type IOTuple added in v0.21.0 

type IOTuple struct {
	Reader io.Reader
	Writer io.Writer
}

IOTuple holds reader and writer for commands, allowing for testing.

func DefaultIO added in v0.21.0 

func DefaultIO() IOTuple

DefaultIO returns an IOTuple with os.Stdin and os.Stdout.

type PurgeAuthTokensResult added in v0.27.0 

type PurgeAuthTokensResult struct {
	Count  int64 `json:"count"`
	Days   int   `json:"days"`
	DryRun bool  `json:"dry_run"`
}

PurgeAuthTokensResult holds the result of the authentication token purge operation.

func (*PurgeAuthTokensResult) ToJSON added in v0.27.0 

func (r *PurgeAuthTokensResult) ToJSON() string

ToJSON returns a JSON representation of the purge result.

func (*PurgeAuthTokensResult) ToText added in v0.27.0 

func (r *PurgeAuthTokensResult) ToText() string

ToText returns a human-readable representation of the purge result.

type PurgeSecretsResult added in v0.25.0 

type PurgeSecretsResult struct {
	Count  int64 `json:"count"`
	Days   int   `json:"days"`
	DryRun bool  `json:"dry_run"`
}

PurgeSecretsResult holds the result of the secret purge operation.

func (*PurgeSecretsResult) ToJSON added in v0.25.0 

func (r *PurgeSecretsResult) ToJSON() string

ToJSON returns a JSON representation of the purge result.

func (*PurgeSecretsResult) ToText added in v0.25.0 

func (r *PurgeSecretsResult) ToText() string

ToText returns a human-readable representation of the purge result.

type PurgeTokenizationKeysResult added in v0.26.0 

type PurgeTokenizationKeysResult struct {
	Count  int64 `json:"count"`
	Days   int   `json:"days"`
	DryRun bool  `json:"dry_run"`
}

PurgeTokenizationKeysResult holds the result of the tokenization key purge operation.

func (*PurgeTokenizationKeysResult) ToJSON added in v0.26.0 

func (r *PurgeTokenizationKeysResult) ToJSON() string

ToJSON returns a JSON representation of the purge result.

func (*PurgeTokenizationKeysResult) ToText added in v0.26.0 

func (r *PurgeTokenizationKeysResult) ToText() string

ToText returns a human-readable representation of the purge result.

type PurgeTransitKeysResult added in v0.26.0 

type PurgeTransitKeysResult struct {
	Count  int64 `json:"count"`
	Days   int   `json:"days"`
	DryRun bool  `json:"dry_run"`
}

PurgeTransitKeysResult holds the result of the transit key purge operation.

func (*PurgeTransitKeysResult) ToJSON added in v0.26.0 

func (r *PurgeTransitKeysResult) ToJSON() string

ToJSON returns a JSON representation of the purge result.

func (*PurgeTransitKeysResult) ToText added in v0.26.0 

func (r *PurgeTransitKeysResult) ToText() string

ToText returns a human-readable representation of the purge result.

type RotateClientSecretResult added in v0.28.0 

type RotateClientSecretResult struct {
	ID string `json:"client_id"`
	// #nosec G117
	PlainSecret string `json:"secret"`
}

RotateClientSecretResult holds the result of the client secret rotation operation.

func (*RotateClientSecretResult) ToJSON added in v0.28.0 

func (r *RotateClientSecretResult) ToJSON() string

ToJSON returns a JSON representation of the rotation result.

func (*RotateClientSecretResult) ToText added in v0.28.0 

func (r *RotateClientSecretResult) ToText() string

ToText returns a human-readable representation of the rotation result.

type UpdateClientResult added in v0.23.0 

type UpdateClientResult struct {
	ID       string `json:"client_id"`
	Name     string `json:"name"`
	IsActive bool   `json:"is_active"`
}

UpdateClientResult holds the result of the client update operation.

func (*UpdateClientResult) ToJSON added in v0.23.0 

func (r *UpdateClientResult) ToJSON() string

ToJSON returns a JSON representation of the update result.

func (*UpdateClientResult) ToText added in v0.23.0 

func (r *UpdateClientResult) ToText() string

ToText returns a human-readable representation of the update result.

type VerifyAuditLogsResult added in v0.23.0 

type VerifyAuditLogsResult struct {
	TotalChecked  int64     `json:"total_checked"`
	SignedCount   int64     `json:"signed_count"`
	UnsignedCount int64     `json:"unsigned_count"`
	ValidCount    int64     `json:"valid_count"`
	InvalidCount  int64     `json:"invalid_count"`
	InvalidLogs   []string  `json:"invalid_logs"`
	Passed        bool      `json:"passed"`
	StartDate     time.Time `json:"start_date"`
	EndDate       time.Time `json:"end_date"`
}

VerifyAuditLogsResult holds the result of the audit log verification operation.

func (*VerifyAuditLogsResult) ToJSON added in v0.23.0 

func (r *VerifyAuditLogsResult) ToJSON() string

ToJSON returns a JSON representation of the verification result.

func (*VerifyAuditLogsResult) ToText added in v0.23.0 

func (r *VerifyAuditLogsResult) ToText() string

ToText returns a human-readable representation of the verification result.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.