Documentation
¶
Overview ¶
Package keyring provides cross-platform credential storage for Zeta. This file implements Unix/Linux storage with configurable storage storages.
Linux Behavior: - By default (storage="auto"): Does NOT store credentials unless explicitly configured - To enable storage, set: zeta config credential.storage secret-service - Or set environment variable: ZETA_CREDENTIAL_STORAGE=secret-service
This design avoids DBUS errors on systems without Secret Service.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrNotFound is the expected error if the secret isn't found in the keyring. ErrNotFound = errors.New("secret not found in keyring") // ErrSetDataTooBig is returned if Set was called with too much data. // On macOS: The combination of service, username & password should not exceed ~3000 bytes // On Windows: The service is limited to 32KiB while the password is limited to 2560 bytes // On Linux/Unix: There is no theoretical limit but performance suffers with big values (>100KiB) ErrSetDataTooBig = errors.New("data passed to Set was too big") // ErrStorageDisabled indicates that credential storage is disabled. ErrStorageDisabled = errors.New("credential storage is disabled") // ErrNoEncryptionKey indicates that encryption key is required but not provided. ErrNoEncryptionKey = errors.New("encryption key is required for file storage") )
Functions ¶
Types ¶
type Cred ¶
type Cred struct {
UserName string
Password string
// Protocol specifies protocol type (http, https, imap, smtp, ftp, etc.)
Protocol string
// Server specifies the server name or IP address (without port)
Server string
// Path specifies the path component (optional, for some protocols)
Path string
// Port specifies the port number (optional, 0 means use default)
Port int
}
Cred represents credentials for a server. This design follows git-credential-osxkeychain pattern where credentials are identified by (protocol, host, username) tuple.
func Get ¶ added in v0.22.0
Get retrieves credentials from the configured storage. On Linux, this will only attempt to read if storage is configured. Returns ErrNotFound if credential doesn't exist or storage is disabled.
func NewCredFromURL ¶ added in v0.22.0
NewCredFromURL creates a Cred from a URL, extracting protocol, server, and port. If the URL specifies a default port for the protocol (e.g., 443 for https), the port is not stored to ensure consistent credential lookup.
type Option ¶ added in v0.22.0
type Option func(*Options)
Option is a functional option for configuring keyring behavior. This is used to configure credential storage backend on platforms that support multiple backends. On macOS and Windows, the default backend is always used unless explicitly overridden.
func WithEncryptionKey ¶ added in v0.22.0
WithEncryptionKey sets the encryption key for file-based credential storage. Required when Storage="file".
func WithStorage ¶ added in v0.22.0
WithStorage sets the credential storage backend. Valid values depend on the platform:
- macOS: "security" (/usr/bin/security CLI), "file"
- Windows: "file"
- Linux: "secret-service", "file"
func WithStoragePath ¶ added in v0.22.0
WithStoragePath sets the path for encrypted credential file. Only used when Storage="file".
type Options ¶ added in v0.22.0
type Options struct {
// Storage specifies the credential storage backend.
//
// Platform-specific behavior:
// - macOS: Default uses Security.framework; "security" uses /usr/bin/security CLI; "file" uses encrypted file
// - Windows: Default uses Credential Manager; "file" uses encrypted file
// - Linux: Default is "none"; "secret-service" uses Secret Service API; "file" uses encrypted file
Storage string
// EncryptionKey specifies the key for encrypting credentials in file storage.
// Required when Storage="file".
EncryptionKey string
// StoragePath specifies the path for encrypted credential file.
// Only used when Storage="file".
// Default: ~/.config/zeta/credentials
StoragePath string
}
Options holds configuration for keyring operations.