README
¶
Launchr Keyring
Keyring is a launchr plugin and a service providing a password storage functionality encrypted with age. The storage is encrypted with a passphrase.
How to use
To add a new item with an interactive shell:
launchr login
If an interactive shell is not available, credentials may be provided with flags:
# Input passphrase directly
launchr login \
--url=https://your.gitlab.com \
--username=USER \
--password=SECRETPASSWORD \
--keyring-passphrase=YOURPASSHRPASE
# Get passphrase from a file
launchr login \
--url=https://your.gitlab.com \
--username=USER \
--password=SECRETPASSWORD \
--keyring-passphrase-file=/path/to/your/secret
To add a new key-value pair with an interactive shell:
launchr keyring:set your-key
It's possible to parse a user value and store it as a struct in a keyring. Supported formats are [string, yaml, json]:
launchr keyring:set your-key value
It's possible to parse a user value and store it as a struct in a keyring. Possible formats are [string, yaml, json]:
launchr keyring:set key --format yaml -- "- name: test-1
- name: test-2"
launchr keyring:set key --format yaml -- "$(cat file.yaml)"
launchr keyring:set key --format json -- '[
{
"name": "test-1"
},
{
"name": "test-2"
}
]'
launchr keyring:set key --format json -- "$(cat file.json)"
You can dynamically build JSON\YAML wit structures and pass them directly to the command: jq
# Define your variables
TOKEN1="abc123def456"
NAME1="production-api-key"
CREATED1="2025-01-15T10:30:00Z"
TOKEN2="xyz789uvw012"
NAME2="development-token"
CREATED2="2025-01-15T11:45:00Z"
EXPIRES2="2025-07-15T11:45:00Z"
launchr keyring:set api-tokens-json --format json -- "$(jq -n \
--arg t1 "$TOKEN1" --arg n1 "$NAME1" --arg c1 "$CREATED1" \
--arg t2 "$TOKEN2" --arg n2 "$NAME2" --arg c2 "$CREATED2" --arg e2 "$EXPIRES2" \
'[
{
tokenhash: $t1,
name: $n1,
created: $c1,
expires: null
},
{
tokenhash: $t2,
name: $n2,
created: $c2,
expires: $e2
}
]')"
yq using same variables:
launchr keyring:set api-tokens-yaml --format yaml -- "$(yq -n \
'.[0].tokenhash = env(TOKEN1) |
.[0].name = env(NAME1) |
.[0].created = env(CREATED1) |
.[0].expires = null |
.[1].tokenhash = env(TOKEN2) |
.[1].name = env(NAME2) |
.[1].created = env(CREATED2) |
.[1].expires = env(EXPIRES2)')"
Flags --keyring-passphrase and --keyring-passphrase-file are available for all launchr commands, for example:
launchr compose --keyring-passphrase=YOURPASSHRPASE
launchr compose --keyring-passphrase-file=/path/to/your/secret
These flags may be passed as environment variables LAUNCHR_KEYRING_PASSPHRASE and LAUNCHR_KEYRING_PASSPHRASE_FILE:
LAUNCHR_KEYRING_PASSPHRASE=YOURPASSHRPASE launchr compose
LAUNCHR_KEYRING_PASSPHRASE_FILE=/path/to/your/secret launchr compose
Flags and environment variables are taken in the following priority:
--keyring-passphraseLAUNCHR_KEYRING_PASSPHRASE--keyring-passphrase-fileLAUNCHR_KEYRING_PASSPHRASE_FILE
NB: If the binary is created with a specific app name like myappname, the variable name will change accordingly MYAPPNAME_KEYRING_PASSPHRASE_FILE.
Flag --keyring-passphrase-file will also set LAUNCHR_KEYRING_PASSPHRASE_FILE for subprocesses.
These environment variables are inherited in subprocesses.
Using --keyring-passphrase-file or LAUNCHR_KEYRING_PASSPHRASE_FILE is a preferred way to pass the secret because the secret won't be exposed.
To delete an item from the keyring:
launchr logout URL
launchr logout --all
The file is created in .launchr/keyring.yaml.age.
The content may be viewed/edited with age cli:
age -d .launchr/keyring.yaml.age
age -p .launchr/keyring.yaml > .launchr/keyring.yaml.age
In code
Add a module dependency:
go get -u github.com/launchrctl/keyring
To use the keyring in code, get the service from the app:
package main
import (
"github.com/launchrctl/keyring"
"github.com/launchrctl/launchr"
)
func GetPassword(app launchr.App, url string) (keyring.CredentialsItem, error) {
// Get the service by type from the app.
var k keyring.Keyring
app.Services().Get(k)
// Get by url. Error if the keyring could not be unlocked.
// Error keyring.ErrNotFound is returned if an item was not found.
creds, err := k.GetForURL(url)
if err != nil {
return keyring.CredentialsItem{}, err
}
return creds, nil
}
Include with launchr build:
launchr build -p github.com/launchrctl/keyring
Documentation
¶
Overview ¶
Package keyring provides password store functionality.
Index ¶
- Variables
- func RequestCredentialsFromTty(creds *CredentialsItem) error
- func RequestKeyValueFromTty(item *KeyValueItem) error
- type AskPass
- type AskPassConst
- type AskPassFirstAvailable
- type AskPassWithTerminal
- type CredentialsFile
- type CredentialsItem
- type DataStore
- type GetKeyValueProcessorOptions
- type KeyValueItem
- type Keyring
- type Plugin
- func (p *Plugin) CobraAddCommands(rootCmd *launchr.Command) error
- func (p *Plugin) DiscoverActions(_ context.Context) ([]*action.Action, error)
- func (p *Plugin) OnAppInit(app launchr.App) error
- func (p *Plugin) PersistentPreRun(cmd *launchr.Command, _ []string) error
- func (p *Plugin) PluginInfo() launchr.PluginInfo
- type SecretItem
Constants ¶
This section is empty.
Variables ¶
var ( ErrNotFound = errors.New("item not found") // ErrNotFound if an item was not found ErrEmptyFields = errors.New("item can't be empty") // ErrEmptyFields if fields are empty ErrEmptyPass = errors.New("passphrase can't be empty") // ErrEmptyPass if a passphrase is empty ErrKeyringMalformed = errors.New("the keyring is malformed") // ErrKeyringMalformed when keyring can't be read. ErrIncorrectPass = errors.New("the given passphrase is incorrect") // ErrIncorrectPass if a passphrase is incorrect )
Keyring errors.
Functions ¶
func RequestCredentialsFromTty ¶ added in v0.1.1
func RequestCredentialsFromTty(creds *CredentialsItem) error
RequestCredentialsFromTty gets credentials from tty.
func RequestKeyValueFromTty ¶ added in v0.2.0
func RequestKeyValueFromTty(item *KeyValueItem) error
RequestKeyValueFromTty gets key-value pair from tty.
Types ¶
type AskPass ¶
type AskPass interface {
// GetPass retrieves a passphrase for auth.
GetPass() (string, error)
// NewPass requests for a new passphrase.
NewPass() (string, error)
}
AskPass defines basic interface to retrieve passphrase.
type AskPassConst ¶ added in v0.7.0
AskPassConst implements AskPass and returns constant.
func (AskPassConst) GetPass ¶ added in v0.7.0
func (a AskPassConst) GetPass() (string, error)
GetPass implements AskPass interface.
func (AskPassConst) NewPass ¶ added in v0.7.0
func (a AskPassConst) NewPass() (string, error)
NewPass implements AskPass interface.
type AskPassFirstAvailable ¶ added in v0.7.0
type AskPassFirstAvailable []AskPass
AskPassFirstAvailable tries a chain of AskPass and returns first available.
func (AskPassFirstAvailable) GetPass ¶ added in v0.7.0
func (a AskPassFirstAvailable) GetPass() (string, error)
GetPass implements AskPass interface.
func (AskPassFirstAvailable) NewPass ¶ added in v0.7.0
func (a AskPassFirstAvailable) NewPass() (string, error)
NewPass implements AskPass interface.
type AskPassWithTerminal ¶
type AskPassWithTerminal struct{}
AskPassWithTerminal implements AskPass and uses tty to retrieve passphrase. @todo support pipe and stdin
func (AskPassWithTerminal) GetPass ¶
func (a AskPassWithTerminal) GetPass() (string, error)
GetPass implements AskPass interface.
func (AskPassWithTerminal) NewPass ¶
func (a AskPassWithTerminal) NewPass() (string, error)
NewPass implements AskPass interface.
type CredentialsFile ¶
type CredentialsFile interface {
io.ReadWriteCloser
// Open opens a file in FS with flag open options and perm for file permissions if the file is new.
// See os.OpenFile for more info about flag and perm arguments.
Open(flag int, perm fs.FileMode) error
// Unlock decrypts a file if supported.
Unlock(askNew bool) error
// Lock makes it to request Unlock again.
Lock()
// Remove deletes a file from FS.
Remove() error
// Stat returns a [FileInfo] describing the named file.
// If there is an error, it will be of type [*PathError].
// See os.Stat().
Stat() (fs.FileInfo, error)
}
CredentialsFile is an interface to open and edit credentials file.
func NewAgeFile ¶ added in v0.7.0
func NewAgeFile(fname string, askPass AskPass) CredentialsFile
NewAgeFile creates a CredentialsFile to open a file encrypted with age.
func NewPlainFile ¶ added in v0.7.0
func NewPlainFile(fname string) CredentialsFile
NewPlainFile creates a CredentialsFile to open a plain file.
type CredentialsItem ¶
type CredentialsItem struct {
URL string `yaml:"url"`
Username string `yaml:"username"`
Password string `yaml:"password"`
}
CredentialsItem stores credentials.
type DataStore ¶ added in v0.2.0
type DataStore interface {
// GetUrls retrieves a list of stored URLs.
GetUrls() ([]string, error)
// GetKeys retrieves a list of stored keys.
GetKeys() ([]string, error)
// GetForURL returns a credentials item by a URL.
// Error is returned if either the keyring could not be unlocked
// Error ErrNotFound if the credentials were not found.
GetForURL(url string) (CredentialsItem, error)
// GetForKey returns a key-value item by a key.
// Error is returned if either the keyring could not be unlocked
// Error ErrNotFound if the key was not found.
GetForKey(key string) (KeyValueItem, error)
// AddItem adds a new credential item.
// Error is returned if the vault couldn't be unlocked.
// Error ErrEmptyFields is returned if item is empty.
AddItem(SecretItem) error
// RemoveByURL deletes an item by url.
// Error is returned if the vault couldn't be unlocked.
// Error ErrNotFound if the credentials were not found.
RemoveByURL(url string) error
// RemoveByKey deletes an item by key.
// Error is returned if the vault couldn't be unlocked.
// Error ErrNotFound if the credentials were not found.
RemoveByKey(key string) error
// CleanStorage cleanups storage (credentials or key-value).
// Error is returned if the vault couldn't be unlocked.
CleanStorage(item SecretItem) error
// Exists checks if keyring exists in persistent storage.
Exists() bool
// Save saves the keyring to the persistent storage.
Save() error
// Destroy removes the keyring from the persistent storage.
Destroy() error
}
DataStore provides password storage functionality.
func NewFileStore ¶ added in v0.7.0
func NewFileStore(f CredentialsFile) DataStore
NewFileStore creates a DataStore using a file.
type GetKeyValueProcessorOptions ¶ added in v0.3.1
type GetKeyValueProcessorOptions = *action.GenericValueProcessorOptions[struct { Key string `yaml:"key" validate:"not-empty"` }]
GetKeyValueProcessorOptions is a action.ValueProcessorOptions struct.
type KeyValueItem ¶ added in v0.2.0
KeyValueItem stores key-value pair.
type Keyring ¶
type Keyring = *keyringService
Keyring is a launchr.Service providing password store functionality.
func NewService ¶ added in v0.7.0
func NewService(store DataStore, mask *launchr.SensitiveMask) Keyring
NewService creates a new Keyring service.
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
Plugin is launchr.Plugin plugin providing a keyring.
func (*Plugin) CobraAddCommands ¶
CobraAddCommands implements launchr.CobraPlugin interface to provide keyring functionality.
func (*Plugin) DiscoverActions ¶ added in v0.3.0
DiscoverActions implements launchr.ActionDiscoveryPlugin interface.
func (*Plugin) OnAppInit ¶ added in v0.1.0
OnAppInit implements launchr.Plugin interface.
func (*Plugin) PersistentPreRun ¶ added in v0.4.0
PersistentPreRun implements launchr.PersistentPreRun interface.
func (*Plugin) PluginInfo ¶
func (p *Plugin) PluginInfo() launchr.PluginInfo
PluginInfo implements launchr.Plugin interface.
type SecretItem ¶ added in v0.2.0
type SecretItem interface {
// contains filtered or unexported methods
}
SecretItem is an interface that represents an item saved in a storage. It is used in the DataStore interface for adding and manipulating items.
Source Files
Directories