commands

func RunCleanAuditLogs ¶ added in v0.2.0

func RunCleanAuditLogs(ctx context.Context, days int, dryRun bool, format string) error

RunCleanAuditLogs deletes audit logs older than the specified number of days. Supports dry-run mode to preview deletion count and both text/JSON output formats.

Requirements: Database must be migrated and accessible.

func RunCleanExpiredTokens ¶ added in v0.4.0

func RunCleanExpiredTokens(ctx context.Context, days int, dryRun bool, format string) error

RunCleanExpiredTokens deletes expired tokens older than the specified number of days. Supports dry-run mode to preview deletion count and both text/JSON output formats.

Requirements: Database must be migrated and accessible.

func RunCreateClient ¶

func RunCreateClient(
	ctx context.Context,
	name string,
	isActive bool,
	policiesJSON string,
	format string,
) error

RunCreateClient creates a new authentication client with policies. Supports both interactive mode (when policiesJSON is empty) and non-interactive mode (when policiesJSON is provided). Outputs client ID and plain secret in either text or JSON format.

Requirements: Database must be migrated and accessible.

func RunCreateKek ¶

func RunCreateKek(ctx context.Context, algorithmStr string) error

RunCreateKek creates a new Key Encryption Key using the specified algorithm. Should only be run once during initial system setup. The KEK is encrypted using the active master key from MASTER_KEYS environment variable.

Requirements: Database must be migrated, MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set.

func RunCreateMasterKey ¶

func RunCreateMasterKey(keyID, kmsProvider, kmsKeyURI string) error

RunCreateMasterKey generates a cryptographically secure 32-byte master key for envelope encryption. Creates the root key used to encrypt all KEKs. Key material is zeroed from memory after encoding. If keyID is empty, generates a default ID in format "master-key-YYYY-MM-DD".

KMS Mode: When kmsProvider and kmsKeyURI are provided, encrypts the master key with KMS before output. Legacy Mode: When KMS parameters are empty, outputs plaintext base64-encoded keys (backward compatible).

Output format:

• Legacy: MASTER_KEYS="<keyID>:<base64-encoded-plaintext-key>" (DEFAULT)
• KMS: MASTER_KEYS="<keyID>:<base64-encoded-kms-ciphertext>" + KMS_PROVIDER + KMS_KEY_URI

Security: For production, use KMS mode. Legacy mode is for development/testing only.

func RunCreateTokenizationKey ¶ added in v0.4.0

func RunCreateTokenizationKey(
	ctx context.Context,
	name string,
	formatType string,
	isDeterministic bool,
	algorithmStr string,
) error

RunCreateTokenizationKey creates a new tokenization key with the specified parameters. Should be run during initial setup or when adding new tokenization formats.

Requirements: Database must be migrated, MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set.

func RunMigrations ¶

func RunMigrations() error

RunMigrations executes database migrations based on the configured driver. Determines migration path from DBDriver (postgresql or mysql) and applies all pending migrations. Returns nil if no migrations to apply. Logs migration progress and success.

func RunRotateKek ¶

func RunRotateKek(ctx context.Context, algorithmStr string) error

RunRotateKek rotates the existing Key Encryption Key using the specified algorithm. Creates a new KEK version and marks the previous active KEK as inactive. The new KEK is encrypted using the active master key. This operation is atomic and maintains backward compatibility - existing DEKs encrypted with the old KEK remain readable.

Key rotation recommended every 90 days or when suspecting KEK compromise, changing encryption algorithms, or rotating master keys.

Requirements: An active KEK must already exist, MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set.

func RunRotateMasterKey ¶ added in v0.6.0

func RunRotateMasterKey(ctx context.Context, keyID string) error

RunRotateMasterKey generates a new master key and combines it with existing keys for rotation. Reads current MASTER_KEYS from environment, generates a new key, and outputs the combined configuration with the new key set as active. The old keys remain accessible for decrypting existing KEKs.

Mode Detection:

• KMS Mode: If KMS_PROVIDER and KMS_KEY_URI are set, encrypts new key with KMS
• Legacy Mode: If KMS variables are empty, generates plaintext base64-encoded key

Key Rotation Workflow:

1. Run this command to generate new master key configuration
2. Update environment variables (MASTER_KEYS, ACTIVE_MASTER_KEY_ID)
3. Restart application (automatically decrypts KEKs with new master key chain)
4. Rotate KEKs: `app rotate-kek --algorithm aes-gcm`
5. After all KEKs rotated, remove old master key from MASTER_KEYS

Requirements: MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set in environment.

func RunRotateTokenizationKey ¶ added in v0.4.0

func RunRotateTokenizationKey(
	ctx context.Context,
	name string,
	formatType string,
	isDeterministic bool,
	algorithmStr string,
) error

RunRotateTokenizationKey creates a new version of an existing tokenization key. Increments the version number and generates a new DEK while preserving old versions for detokenization of previously issued tokens.

Requirements: Database must be migrated, named tokenization key must exist.

func RunServer ¶

func RunServer(ctx context.Context) error

RunServer starts the HTTP server with graceful shutdown support. Loads configuration, initializes the DI container, and starts the Gin HTTP server. Blocks until receiving SIGINT/SIGTERM or encountering a fatal error. On shutdown signal, gracefully stops the server within DBConnMaxLifetime timeout.

func RunUpdateClient ¶

func RunUpdateClient(
	ctx context.Context,
	clientIDStr string,
	name string,
	isActive bool,
	policiesJSON string,
	format string,
) error

RunUpdateClient updates an existing authentication client's configuration. Supports both interactive mode (when policiesJSON is empty) and non-interactive mode (when policiesJSON is provided). Only Name, IsActive, and Policies can be updated. The client ID and secret remain unchanged.

Requirements: Database must be migrated and the client must exist.