secureconfig

package

v0.8.0 Latest Latest Go to latest Published: Mar 28, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/goatkit/goatflow

Links

Open Source Insights

Documentation ¶

Overview ¶

Package secureconfig provides encrypted key-value storage for plugin secrets.

Plugins store API keys, PINs, webhook secrets via HostAPI SecureConfigGet/Set. The platform manages AES-256-GCM encryption with a platform-managed key.

Index ¶

Constants
func Decrypt(ciphertext []byte, key []byte) ([]byte, error)
func Encrypt(plaintext []byte, key []byte) ([]byte, error)
func GetKey() ([]byte, error)
func MaskedDisplay(hint string) string
func SetKey(key []byte)
func ValueHint(value string) string
type Repository
- func NewRepository() (*Repository, error)
- func NewRepositoryWithDB(db *sql.DB) *Repository
type SecureEntry

Constants ¶

View Source

const (
	// KeyEnvVar is the environment variable for the encryption key.
	KeyEnvVar = "GOATFLOW_SECURE_KEY"
)

Variables ¶

This section is empty.

Functions ¶

func Decrypt ¶

func Decrypt(ciphertext []byte, key []byte) ([]byte, error)

Decrypt decrypts AES-256-GCM ciphertext. Input format: [12-byte nonce][ciphertext][16-byte GCM tag].

func Encrypt ¶

func Encrypt(plaintext []byte, key []byte) ([]byte, error)

Encrypt encrypts plaintext using AES-256-GCM. Returns [12-byte nonce][ciphertext][16-byte GCM tag].

func GetKey ¶

func GetKey() ([]byte, error)

GetKey returns the platform encryption key, initialising it on first call. Key source priority: SetKey override > env var > auto-generated.

func MaskedDisplay ¶

func MaskedDisplay(hint string) string

MaskedDisplay returns a masked version for admin display: "••••••••abcd".

func SetKey ¶

func SetKey(key []byte)

SetKey sets the encryption key directly (for testing).

func ValueHint ¶

func ValueHint(value string) string

ValueHint returns the last 4 characters of a string for masked display. Returns the full string if shorter than 5 characters.

Types ¶

type Repository ¶

type Repository struct {
	// contains filtered or unexported fields
}

Repository provides CRUD for encrypted secrets.

func NewRepository ¶

func NewRepository() (*Repository, error)

NewRepository creates a repository using the global DB.

func NewRepositoryWithDB ¶

func NewRepositoryWithDB(db *sql.DB) *Repository

NewRepositoryWithDB creates a repository with an explicit DB connection.

func (*Repository) Delete ¶

func (r *Repository) Delete(pluginName, name string, orgID int64) error

Delete removes a secret.

func (*Repository) Get ¶

func (r *Repository) Get(pluginName, name string, orgID int64) (*SecureEntry, error)

Get retrieves an encrypted value. Checks org-specific first, then global.

func (*Repository) ListForPlugin ¶

func (r *Repository) ListForPlugin(pluginName string) ([]SecureEntry, error)

ListForPlugin returns all secrets for a plugin (with masked values for admin display).

func (*Repository) Set ¶

func (r *Repository) Set(pluginName, name string, encryptedValue []byte, hint string, orgID int64, userID int) error

Set creates or updates an encrypted value.

type SecureEntry ¶

type SecureEntry struct {
	ID             int64     `json:"id" db:"id"`
	PluginName     string    `json:"plugin_name" db:"plugin_name"`
	Name           string    `json:"name" db:"name"`
	EncryptedValue []byte    `json:"-" db:"encrypted_value"`
	ValueHint      *string   `json:"value_hint,omitempty" db:"value_hint"`
	OrgID          *int64    `json:"org_id,omitempty" db:"org_id"`
	CreateTime     time.Time `json:"create_time" db:"create_time"`
	CreateBy       int       `json:"create_by" db:"create_by"`
	ChangeTime     time.Time `json:"change_time" db:"change_time"`
	ChangeBy       int       `json:"change_by" db:"change_by"`
}

SecureEntry represents a row in gk_secure_config.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL