commands

package
v0.21.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 28, 2026 License: MIT Imports: 29 Imported by: 0

Documentation

Overview

Package commands contains CLI command implementations for the application.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func RunCleanAuditLogs added in v0.2.0 

func RunCleanAuditLogs(
	ctx context.Context,
	auditLogUseCase authUseCase.AuditLogUseCase,
	logger *slog.Logger,
	writer io.Writer,
	days int,
	dryRun bool,
	format string,
) error

func RunCleanExpiredTokens added in v0.4.0 

func RunCleanExpiredTokens(
	ctx context.Context,
	tokenizationUseCase tokenizationUseCase.TokenizationUseCase,
	logger *slog.Logger,
	writer io.Writer,
	days int,
	dryRun bool,
	format string,
) error

func RunCreateClient 

func RunCreateClient(
	ctx context.Context,
	clientUseCase authUseCase.ClientUseCase,
	logger *slog.Logger,
	name string,
	isActive bool,
	policiesJSON string,
	format string,
	io IOTuple,
) error

RunCreateClient creates a new authentication client with policies. Supports both interactive mode (when policiesJSON is empty) and non-interactive mode (when policiesJSON is provided). Outputs client ID and plain secret in either text or JSON format.

Requirements: Database must be migrated and accessible.

func RunCreateKek 

func RunCreateKek(
	ctx context.Context,
	kekUseCase cryptoUseCase.KekUseCase,
	masterKeyChain *cryptoDomain.MasterKeyChain,
	logger *slog.Logger,
	algorithmStr string,
) error

RunCreateKek creates a new Key Encryption Key using the specified algorithm. Should only be run once during initial system setup. The KEK is encrypted using the active master key from MASTER_KEYS environment variable.

Requirements: Database must be migrated, MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set.

func RunCreateMasterKey 

func RunCreateMasterKey(
	ctx context.Context,
	kmsService cryptoService.KMSService,
	logger *slog.Logger,
	writer io.Writer,
	keyID string,
	kmsProvider string,
	kmsKeyURI string,
) error

RunCreateMasterKey generates a cryptographically secure 32-byte master key for envelope encryption. Creates the root key used to encrypt all KEKs. Key material is zeroed from memory after encoding. If keyID is empty, generates a default ID in format "master-key-YYYY-MM-DD".

KMS parameters (kmsProvider and kmsKeyURI) are required. The master key is encrypted with KMS before output. For local development, use kmsProvider="localsecrets" with kmsKeyURI="base64key://...".

Output format:

  • MASTER_KEYS="<keyID>:<base64-encoded-kms-ciphertext>"
  • KMS_PROVIDER="<provider>"
  • KMS_KEY_URI="<uri>"

Security: Never use localsecrets provider in production. Use cloud KMS providers (gcpkms, awskms, azurekeyvault).

func RunCreateTokenizationKey added in v0.4.0 

func RunCreateTokenizationKey(
	ctx context.Context,
	tokenizationKeyUseCase tokenizationUseCase.TokenizationKeyUseCase,
	logger *slog.Logger,
	name string,
	formatType string,
	isDeterministic bool,
	algorithmStr string,
) error

RunCreateTokenizationKey creates a new tokenization key with the specified parameters. Should be run during initial setup or when adding new tokenization formats.

Requirements: Database must be migrated, MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set.

func RunMigrations 

func RunMigrations(logger *slog.Logger, dbDriver, dbConnectionString string) error

RunMigrations executes database migrations based on the configured driver. Determines migration path from DBDriver (postgresql or mysql) and applies all pending migrations. Returns nil if no migrations to apply. Logs migration progress and success.

func RunRewrapDeks added in v0.12.0 

func RunRewrapDeks(
	ctx context.Context,
	masterKeyChain *cryptoDomain.MasterKeyChain,
	kekUseCase cryptoUseCase.KekUseCase,
	dekUseCase cryptoUseCase.DekUseCase,
	logger *slog.Logger,
	kekIDStr string,
	batchSize int,
) error

RunRewrapDeks finds all DEKs that are not encrypted with the specified KEK ID and re-encrypts them with the specified KEK in batches.

func RunRotateKek 

func RunRotateKek(
	ctx context.Context,
	kekUseCase cryptoUseCase.KekUseCase,
	masterKeyChain *cryptoDomain.MasterKeyChain,
	logger *slog.Logger,
	algorithmStr string,
) error

func RunRotateMasterKey added in v0.6.0 

func RunRotateMasterKey(
	ctx context.Context,
	kmsService cryptoService.KMSService,
	logger *slog.Logger,
	writer io.Writer,
	keyID, kmsProvider, kmsKeyURI, existingMasterKeys, existingActiveKeyID string,
) error

func RunRotateTokenizationKey added in v0.4.0 

func RunRotateTokenizationKey(
	ctx context.Context,
	tokenizationKeyUseCase tokenizationUseCase.TokenizationKeyUseCase,
	logger *slog.Logger,
	name string,
	formatType string,
	isDeterministic bool,
	algorithmStr string,
) error

RunRotateTokenizationKey creates a new version of an existing tokenization key. Increments the version number and generates a new DEK while preserving old versions for detokenization of previously issued tokens.

Requirements: Database must be migrated, named tokenization key must exist.

func RunServer 

func RunServer(ctx context.Context, version string) error

RunServer starts the HTTP server with graceful shutdown support. Loads configuration, initializes the DI container, and starts the Gin HTTP server. Blocks until receiving SIGINT/SIGTERM or encountering a fatal error. On shutdown signal, gracefully stops the server within DBConnMaxLifetime timeout.

func RunUpdateClient 

func RunUpdateClient(
	ctx context.Context,
	clientUseCase authUseCase.ClientUseCase,
	logger *slog.Logger,
	io IOTuple,
	clientIDStr string,
	name string,
	isActive bool,
	policiesJSON string,
	format string,
) error

RunUpdateClient updates an existing authentication client's configuration. Supports both interactive mode (when policiesJSON is empty) and non-interactive mode (when policiesJSON is provided). Only Name, IsActive, and Policies can be updated. The client ID and secret remain unchanged.

Requirements: Database must be migrated and the client must exist.

func RunVerifyAuditLogs added in v0.9.0 

func RunVerifyAuditLogs(
	ctx context.Context,
	auditLogUseCase authUseCase.AuditLogUseCase,
	logger *slog.Logger,
	writer io.Writer,
	startDate, endDate string,
	format string,
) error

RunVerifyAuditLogs verifies cryptographic integrity of audit logs within a time range. Validates HMAC-SHA256 signatures against KEK-derived signing keys for tamper detection.

Requirements: Database must be migrated with signature columns and KEK chain loaded.

Types

type IOTuple added in v0.21.0 

type IOTuple struct {
	Reader io.Reader
	Writer io.Writer
}

IOTuple holds reader and writer for commands, allowing for testing.

func DefaultIO added in v0.21.0 

func DefaultIO() IOTuple

DefaultIO returns an IOTuple with os.Stdin and os.Stdout.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.