Documentation
¶
Overview ¶
Package commands contains CLI command implementations for the application.
Index ¶
- func RunCleanAuditLogs(ctx context.Context, days int, dryRun bool, format string) error
- func RunCleanExpiredTokens(ctx context.Context, days int, dryRun bool, format string) error
- func RunCreateClient(ctx context.Context, name string, isActive bool, policiesJSON string, ...) error
- func RunCreateKek(ctx context.Context, algorithmStr string) error
- func RunCreateMasterKey(keyID, kmsProvider, kmsKeyURI string) error
- func RunCreateTokenizationKey(ctx context.Context, name string, formatType string, isDeterministic bool, ...) error
- func RunMigrations() error
- func RunRotateKek(ctx context.Context, algorithmStr string) error
- func RunRotateMasterKey(ctx context.Context, keyID string) error
- func RunRotateTokenizationKey(ctx context.Context, name string, formatType string, isDeterministic bool, ...) error
- func RunServer(ctx context.Context) error
- func RunUpdateClient(ctx context.Context, clientIDStr string, name string, isActive bool, ...) error
- func RunVerifyAuditLogs(ctx context.Context, startDate, endDate string, format string) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RunCleanAuditLogs ¶ added in v0.2.0
RunCleanAuditLogs deletes audit logs older than the specified number of days. Supports dry-run mode to preview deletion count and both text/JSON output formats.
Requirements: Database must be migrated and accessible.
func RunCleanExpiredTokens ¶ added in v0.4.0
RunCleanExpiredTokens deletes expired tokens older than the specified number of days. Supports dry-run mode to preview deletion count and both text/JSON output formats.
Requirements: Database must be migrated and accessible.
func RunCreateClient ¶
func RunCreateClient( ctx context.Context, name string, isActive bool, policiesJSON string, format string, ) error
RunCreateClient creates a new authentication client with policies. Supports both interactive mode (when policiesJSON is empty) and non-interactive mode (when policiesJSON is provided). Outputs client ID and plain secret in either text or JSON format.
Requirements: Database must be migrated and accessible.
func RunCreateKek ¶
RunCreateKek creates a new Key Encryption Key using the specified algorithm. Should only be run once during initial system setup. The KEK is encrypted using the active master key from MASTER_KEYS environment variable.
Requirements: Database must be migrated, MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set.
func RunCreateMasterKey ¶
RunCreateMasterKey generates a cryptographically secure 32-byte master key for envelope encryption. Creates the root key used to encrypt all KEKs. Key material is zeroed from memory after encoding. If keyID is empty, generates a default ID in format "master-key-YYYY-MM-DD".
KMS Mode: When kmsProvider and kmsKeyURI are provided, encrypts the master key with KMS before output. Legacy Mode: When KMS parameters are empty, outputs plaintext base64-encoded keys (backward compatible).
Output format:
- Legacy: MASTER_KEYS="<keyID>:<base64-encoded-plaintext-key>" (DEFAULT)
- KMS: MASTER_KEYS="<keyID>:<base64-encoded-kms-ciphertext>" + KMS_PROVIDER + KMS_KEY_URI
Security: For production, use KMS mode. Legacy mode is for development/testing only.
func RunCreateTokenizationKey ¶ added in v0.4.0
func RunCreateTokenizationKey( ctx context.Context, name string, formatType string, isDeterministic bool, algorithmStr string, ) error
RunCreateTokenizationKey creates a new tokenization key with the specified parameters. Should be run during initial setup or when adding new tokenization formats.
Requirements: Database must be migrated, MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set.
func RunMigrations ¶
func RunMigrations() error
RunMigrations executes database migrations based on the configured driver. Determines migration path from DBDriver (postgresql or mysql) and applies all pending migrations. Returns nil if no migrations to apply. Logs migration progress and success.
func RunRotateKek ¶
RunRotateKek rotates the existing Key Encryption Key using the specified algorithm. Creates a new KEK version and marks the previous active KEK as inactive. The new KEK is encrypted using the active master key. This operation is atomic and maintains backward compatibility - existing DEKs encrypted with the old KEK remain readable.
Key rotation recommended every 90 days or when suspecting KEK compromise, changing encryption algorithms, or rotating master keys.
Requirements: An active KEK must already exist, MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set.
func RunRotateMasterKey ¶ added in v0.6.0
RunRotateMasterKey generates a new master key and combines it with existing keys for rotation. Reads current MASTER_KEYS from environment, generates a new key, and outputs the combined configuration with the new key set as active. The old keys remain accessible for decrypting existing KEKs.
Mode Detection:
- KMS Mode: If KMS_PROVIDER and KMS_KEY_URI are set, encrypts new key with KMS
- Legacy Mode: If KMS variables are empty, generates plaintext base64-encoded key
Key Rotation Workflow:
- Run this command to generate new master key configuration
- Update environment variables (MASTER_KEYS, ACTIVE_MASTER_KEY_ID)
- Restart application (automatically decrypts KEKs with new master key chain)
- Rotate KEKs: `app rotate-kek --algorithm aes-gcm`
- After all KEKs rotated, remove old master key from MASTER_KEYS
Requirements: MASTER_KEYS and ACTIVE_MASTER_KEY_ID must be set in environment.
func RunRotateTokenizationKey ¶ added in v0.4.0
func RunRotateTokenizationKey( ctx context.Context, name string, formatType string, isDeterministic bool, algorithmStr string, ) error
RunRotateTokenizationKey creates a new version of an existing tokenization key. Increments the version number and generates a new DEK while preserving old versions for detokenization of previously issued tokens.
Requirements: Database must be migrated, named tokenization key must exist.
func RunServer ¶
RunServer starts the HTTP server with graceful shutdown support. Loads configuration, initializes the DI container, and starts the Gin HTTP server. Blocks until receiving SIGINT/SIGTERM or encountering a fatal error. On shutdown signal, gracefully stops the server within DBConnMaxLifetime timeout.
func RunUpdateClient ¶
func RunUpdateClient( ctx context.Context, clientIDStr string, name string, isActive bool, policiesJSON string, format string, ) error
RunUpdateClient updates an existing authentication client's configuration. Supports both interactive mode (when policiesJSON is empty) and non-interactive mode (when policiesJSON is provided). Only Name, IsActive, and Policies can be updated. The client ID and secret remain unchanged.
Requirements: Database must be migrated and the client must exist.
func RunVerifyAuditLogs ¶ added in v0.9.0
RunVerifyAuditLogs verifies cryptographic integrity of audit logs within a time range. Validates HMAC-SHA256 signatures against KEK-derived signing keys for tamper detection.
Requirements: Database must be migrated with signature columns and KEK chain loaded.
Types ¶
This section is empty.
Source Files