Documentation
¶
Overview ¶
Package veles is a standalone secret scanning library.
Index ¶
Constants ¶
const ( // KiB is one binary Kilobyte (Kibibyte) i.e. 1024 bytes. KiB = 1 << 10 // MiB is one binary Megabyte (Mibibyte). MiB = 1 << 20 // GiB is one binary Gigabyte (Gibibyte). GiB = 1 << 30 // MinReadLen is the minimum buffer size for reading chunks from an io.Reader. MinReadLen = 64 * KiB // MinRetainLen is the minimum number of bytes from the end of a chunk to // retain to avoid false negatives from Secrets overlapping the edge of two // chunks. MinRetainLen = 1 * KiB )
Variables ¶
This section is empty.
Functions ¶
func AddValidator ¶
func AddValidator[S Secret](e *ValidationEngine, v Validator[S]) bool
AddValidator adds a new Validator for a concrete Secret type S to the engine.
Returns whether there was already a Validator in place that now got replaced.
Types ¶
type DetectionEngine ¶
type DetectionEngine struct {
// contains filtered or unexported fields
}
DetectionEngine combines multiple Veles Detectors into a single engine that can read from an io.Reader. It outputs the results of applying all Detectors to that stream.
Future optimizations might change how the engine works under the hood but its API should stay stable. It makes no guarantee about the order in which Secrets are found so calling code should not depend on it.
func NewDetectionEngine ¶
func NewDetectionEngine(ds []Detector, opts ...DetectionEngineOption) (*DetectionEngine, error)
NewDetectionEngine creates a new DetectionEngine with the given Detectors.
This will choose sensible defaults for the internal buffers but those can be overridden via DetectionEngineOptions if needed.
Returns an error if no detectors are provided or if the retain buffer would be too small to accommodate the detectors.
func (*DetectionEngine) Detect ¶
Detect reads from an io.Reader and returns the results of applying all of the DetectionEngine's Detectors to that stream.
It reads the input stream in chunks making sure that no matches are accidentally missed at the edges between chunks.
The secrets are returned in no particular order and calling code should not depend on it (hyrumslaw.com).
An error is returned if the provided context is done or if the io.Reader returned any error other than io.EOF.
type DetectionEngineOption ¶
type DetectionEngineOption func(*DetectionEngine)
DetectionEngineOption is an option to configure a DetectionEngine during creation via NewDetectionEngine.
This allows user to fine tune the engine by overriding its defaults. For most use-cases, the defaults should be sensible enough.
func WithReadLen ¶
func WithReadLen(readLen uint32) DetectionEngineOption
WithReadLen overrides the buffer size used for reading chunks from io.Reader.
The value can be smaller than MinReadLen.
func WithRetainLen ¶
func WithRetainLen(retainLen uint32) DetectionEngineOption
WithRetainLen overrides the buffer size used for keeping parts of a previous read to avoid false negatives at the edge of two neighboring chunks.
These should usually be small against readLen. While it's technically possible to have retainLen > readLen, that doesn't make a lot of semantic sense and should be avoided.
type Detector ¶
type Detector interface {
// MaxSecretLen is the maximum length a secret from this detector can have.
//
// It can be set to 0 but then the detector isn't guaranteed any minimum input
// length and should instead implement its own mechanism to ensure it can find
// its secrets; i.e. maintain an internal buffer.
MaxSecretLen() uint32
// Detect finds Secrets inside data and returns them alongside indices to the
// start of the corresponding match.
// The latter is only used internally to avoid duplicates.
Detect(data []byte) ([]Secret, []int)
}
Detector finds instances of Secrets inside a chunk of text.
While most commonly a detector will emit one specific type of secret, we also allow for Detectors to return multiple distinct types - thus the []Secret return type.
type Secret ¶
type Secret any
Secret is a secret that can be found by a Detector and validated by a Validator.
Detectors return slices of Secret and validators accept concrete types. That allows them to be used independently with maximum flexibility.
While the interface is empty, each Secret should be convertible to and from the Veles protocol buffer message format; see the velesproto package. In order to not have the library explicitly depend on protocol buffers, we did not make that requirement part of the interface.
type ValidationEngine ¶
type ValidationEngine struct {
// contains filtered or unexported fields
}
ValidationEngine bundles a number of Validators together.
There can only be one Validator[S] for each concrete S.
func NewValidationEngine ¶
func NewValidationEngine(opts ...ValidationEngineOption) *ValidationEngine
NewValidationEngine creates a new ValidationEngine that bundles a number of Validators together.
Validators are provided via the WithValidator ValidationEngineOption.
Returns an error if no Validators are provided or if there are multiple Validators for the same Secret type.
func (*ValidationEngine) Validate ¶
func (e *ValidationEngine) Validate(ctx context.Context, s Secret) (ValidationStatus, error)
Validate validates a given Secret using one of the configured Validators.
If no Validator for the Secret's type is configured, it will return a result with Status ValidationUnsupported. This is not an error because some Secrets might just not have corresponding Validators.
An error is returned if something went wrong during validation, e.g. connection issues or timeouts. In that case ValidationStatus will be ValidationStatusFailed.
type ValidationEngineOption ¶
type ValidationEngineOption func(*ValidationEngine)
ValidationEngineOption is an option that can be used to configure a ValidationEngine at creation via NewValidationEngine.
func WithValidator ¶
func WithValidator[S Secret](v Validator[S]) ValidationEngineOption
WithValidator configures the ValidationEngine to use the provided Validator.
This will fail if a Validator for the given Secret Type S has already been registered with the ValidationEngine.
type ValidationStatus ¶
type ValidationStatus string
ValidationStatus represents the result status of validating a Secret using a corresponding Validator.
const ( // ValidationUnspecified is the default value for ValidationStatus. It should // not be returned by a concrete Validator. // // The value of ValidationUnspecified is the empty string instead of a // meaningful value so it is the automatic default. ValidationUnspecified ValidationStatus = "" // ValidationUnsupported occurs only if a ValidationEngine has no Validator // for a given Secret type. ValidationUnsupported ValidationStatus = "VALIDATION_UNSUPPORTED" // ValidationFailed occurs if a Validator was not able to make a validation // decision because an error occurred. // This will be returned alongside the error so calling code can decide // whether it's worth retrying. ValidationFailed ValidationStatus = "VALIDATION_FAILED" // ValidationInvalid occurs if a validation was successful but the result is // negative: the Secret is not valid. ValidationInvalid ValidationStatus = "VALIDATION_INVALID" // ValidationValid occurs if the validation was successful and the result is // positive: the Secret is valid. ValidationValid ValidationStatus = "VALIDATION_VALID" )
type Validator ¶
type Validator[S Secret] interface { Validate(ctx context.Context, secret S) (ValidationStatus, error) }
Validator is a Validator for the concrete Secret type S.
It is used to validate Secrets of type S and returns the corresponding ValidationStatus or an error (in which case the ValidationStatus is ValidationStatusFailed).
Directories
¶
| Path | Synopsis |
|---|---|
|
secrets
|
|
|
common/flatjson
Package flatjson contains facilities to extract credentials that are expressed as a single (flat) JSON object whose values are all strings.
|
Package flatjson contains facilities to extract credentials that are expressed as a single (flat) JSON object whose values are all strings. |
|
common/simpletoken
Package simpletoken contains a Detector for tokens that can be extracted by scanning a byte array with a regular expression.
|
Package simpletoken contains a Detector for tokens that can be extracted by scanning a byte array with a regular expression. |
|
gcpapikey
Package gcpapikey contains a Veles Secret type and a Detector for [GCP API keys](https://cloud.google.com/api-keys/docs/overview).
|
Package gcpapikey contains a Veles Secret type and a Detector for [GCP API keys](https://cloud.google.com/api-keys/docs/overview). |
|
gcpexpressmode
Package gcpexpressmode contains a Veles Detector for GCP Express Mode API keys.
|
Package gcpexpressmode contains a Veles Detector for GCP Express Mode API keys. |
|
gcpsak
Package gcpsak contains a Veles Secret type, a Detector, and a Validator for GCP service account keys.
|
Package gcpsak contains a Veles Secret type, a Detector, and a Validator for GCP service account keys. |
|
rubygemsapikey
Package rubygemsapikey contains a Veles Secret type and a Detector for [RubyGems API keys](https://guides.rubygems.org/api-key-scopes/).
|
Package rubygemsapikey contains a Veles Secret type and a Detector for [RubyGems API keys](https://guides.rubygems.org/api-key-scopes/). |
|
Package velestest contains fakes that can be used to test parts of Veles as well as integrations.
|
Package velestest contains fakes that can be used to test parts of Veles as well as integrations. |