Documentation
¶
Overview ¶
Package commands contains CLI command implementations for the application.
Index ¶
- func RunCreateClient(ctx context.Context, name string, isActive bool, policiesJSON string, ...) error
- func RunCreateKek(ctx context.Context, algorithmStr string) error
- func RunCreateMasterKey(keyID string) error
- func RunMigrations() error
- func RunRotateKek(ctx context.Context, algorithmStr string) error
- func RunServer(ctx context.Context) error
- func RunUpdateClient(ctx context.Context, clientIDStr string, name string, isActive bool, ...) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RunCreateClient ¶
func RunCreateClient( ctx context.Context, name string, isActive bool, policiesJSON string, format string, ) error
RunCreateClient creates a new authentication client with policies. Supports both interactive mode (when policiesJSON is empty) and non-interactive mode (when policiesJSON is provided). Outputs client ID and plain secret in either text or JSON format.
Requirements: Database must be migrated and accessible.
func RunCreateKek ¶
RunCreateKek creates a new Key Encryption Key using the specified algorithm. Should only be run once during initial system setup. The KEK is encrypted using the active master key from MASTER_KEYS environment variable.
Requirements: Database must be migrated, MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set.
func RunCreateMasterKey ¶
RunCreateMasterKey generates a cryptographically secure 32-byte master key for envelope encryption. Creates the root key used to encrypt all KEKs. Key material is zeroed from memory after encoding. If keyID is empty, generates a default ID in format "master-key-YYYY-MM-DD".
Output format: MASTER_KEYS="<keyID>:<base64-encoded-key>" and ACTIVE_MASTER_KEY_ID="<keyID>"
Security: Store output securely (secrets manager/KMS), never commit to version control, rotate every 90 days. For production, consider using a proper KMS instead of environment variables.
func RunMigrations ¶
func RunMigrations() error
RunMigrations executes database migrations based on the configured driver. Determines migration path from DBDriver (postgresql or mysql) and applies all pending migrations. Returns nil if no migrations to apply. Logs migration progress and success.
func RunRotateKek ¶
RunRotateKek rotates the existing Key Encryption Key using the specified algorithm. Creates a new KEK version and marks the previous active KEK as inactive. The new KEK is encrypted using the active master key. This operation is atomic and maintains backward compatibility - existing DEKs encrypted with the old KEK remain readable.
Key rotation recommended every 90 days or when suspecting KEK compromise, changing encryption algorithms, or rotating master keys.
Requirements: An active KEK must already exist, MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set.
func RunServer ¶
RunServer starts the HTTP server with graceful shutdown support. Loads configuration, initializes the DI container, and starts the Gin HTTP server. Blocks until receiving SIGINT/SIGTERM or encountering a fatal error. On shutdown signal, gracefully stops the server within DBConnMaxLifetime timeout.
func RunUpdateClient ¶
func RunUpdateClient( ctx context.Context, clientIDStr string, name string, isActive bool, policiesJSON string, format string, ) error
RunUpdateClient updates an existing authentication client's configuration. Supports both interactive mode (when policiesJSON is empty) and non-interactive mode (when policiesJSON is provided). Only Name, IsActive, and Policies can be updated. The client ID and secret remain unchanged.
Requirements: Database must be migrated and the client must exist.
Types ¶
This section is empty.
Source Files