secretstore

package
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 17, 2026 License: GPL-3.0 Imports: 10 Imported by: 0

Documentation

Overview

Package credential defines the Credential domain entity for secure credential storage.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrInvalidKey is returned when the encryption key is invalid.
	ErrInvalidKey = errors.New("encryption key must be 32 bytes for AES-256")
	// ErrDecryptionFailed is returned when decryption fails.
	ErrDecryptionFailed = errors.New("failed to decrypt credential data")
	// ErrInvalidCiphertext is returned when the ciphertext is too short.
	ErrInvalidCiphertext = errors.New("ciphertext too short")
)

Functions

This section is empty.

Types

type APIKeyData 

type APIKeyData struct {
	Key string `json:"key"`
}

APIKeyData represents the decrypted data for an API key credential.

type AWSRoleData 

type AWSRoleData struct {
	RoleARN    string `json:"role_arn"`
	ExternalID string `json:"external_id,omitempty"`
}

AWSRoleData represents the decrypted data for an AWS role credential.

type AzureServicePrincipalData 

type AzureServicePrincipalData struct {
	TenantID     string `json:"tenant_id"`
	ClientID     string `json:"client_id"`
	ClientSecret string `json:"client_secret"`
}

AzureServicePrincipalData represents the decrypted data for an Azure service principal.

type BasicAuthData 

type BasicAuthData struct {
	Username string `json:"username"`
	Password string `json:"password"`
}

BasicAuthData represents the decrypted data for basic auth credentials.

type BearerTokenData 

type BearerTokenData struct {
	Token string `json:"token"`
}

BearerTokenData represents the decrypted data for a bearer token credential.

type Credential 

type Credential struct {
	ID             shared.ID
	TenantID       shared.ID
	Name           string
	CredentialType CredentialType
	Description    string

	// Encrypted credential data (AES-256-GCM encrypted JSON)
	EncryptedData []byte

	// Key management
	KeyVersion          int
	EncryptionAlgorithm string

	// Metadata
	LastUsedAt    *time.Time
	LastRotatedAt *time.Time
	ExpiresAt     *time.Time

	// Audit fields
	CreatedBy *shared.ID
	CreatedAt time.Time
	UpdatedAt time.Time
}

Credential represents a stored credential for external integrations.

func NewCredential 

func NewCredential(
	tenantID shared.ID,
	name string,
	credentialType CredentialType,
	encryptedData []byte,
	createdBy *shared.ID,
) *Credential

NewCredential creates a new Credential with default values.

func (*Credential) IsExpired 

func (c *Credential) IsExpired() bool

IsExpired checks if the credential has expired.

func (*Credential) MarkUsed 

func (c *Credential) MarkUsed()

MarkUsed updates the last used timestamp.

func (*Credential) Rotate 

func (c *Credential) Rotate(newEncryptedData []byte)

Rotate updates the credential with new encrypted data and increments key version.

type CredentialType 

type CredentialType string

CredentialType represents the type of credential. 

const (
	// CredentialTypeAPIKey represents an API key credential.
	CredentialTypeAPIKey CredentialType = "api_key"
	// CredentialTypeBearerToken represents a bearer token credential.
	CredentialTypeBearerToken CredentialType = "bearer_token"
	// CredentialTypeBasicAuth represents basic authentication credentials.
	CredentialTypeBasicAuth CredentialType = "basic_auth"
	// CredentialTypeSSHKey represents an SSH key credential.
	CredentialTypeSSHKey CredentialType = "ssh_key"
	// CredentialTypeAWSRole represents an AWS IAM role credential.
	CredentialTypeAWSRole CredentialType = "aws_role"
	// CredentialTypeGCPServiceAccount represents a GCP service account credential.
	CredentialTypeGCPServiceAccount CredentialType = "gcp_service_account"
	// CredentialTypeAzureServicePrincipal represents an Azure service principal credential.
	CredentialTypeAzureServicePrincipal CredentialType = "azure_service_principal"
	// CredentialTypeGitHubApp represents a GitHub App credential.
	CredentialTypeGitHubApp CredentialType = "github_app"
	// CredentialTypeGitLabToken represents a GitLab token credential.
	CredentialTypeGitLabToken CredentialType = "gitlab_token"
)

func (CredentialType) IsValid 

func (c CredentialType) IsValid() bool

IsValid checks if the credential type is valid.

type Encryptor 

type Encryptor struct {
	// contains filtered or unexported fields
}

Encryptor handles credential encryption and decryption.

func NewEncryptor 

func NewEncryptor(key []byte) (*Encryptor, error)

NewEncryptor creates a new Encryptor with the given 32-byte key.

func (*Encryptor) Decrypt 

func (e *Encryptor) Decrypt(ciphertext []byte) ([]byte, error)

Decrypt decrypts the given ciphertext using AES-256-GCM.

func (*Encryptor) DecryptJSON 

func (e *Encryptor) DecryptJSON(ciphertext []byte, dest any) error

DecryptJSON decrypts ciphertext and unmarshals to the given struct.

func (*Encryptor) Encrypt 

func (e *Encryptor) Encrypt(plaintext []byte) ([]byte, error)

Encrypt encrypts the given data using AES-256-GCM.

func (*Encryptor) EncryptJSON 

func (e *Encryptor) EncryptJSON(data any) ([]byte, error)

EncryptJSON encrypts a struct as JSON.

type GCPServiceAccountData 

type GCPServiceAccountData struct {
	JSONKey string `json:"json_key"`
}

GCPServiceAccountData represents the decrypted data for a GCP service account.

type GitHubAppData 

type GitHubAppData struct {
	AppID          string `json:"app_id"`
	InstallationID string `json:"installation_id"`
	PrivateKey     string `json:"private_key"`
}

GitHubAppData represents the decrypted data for a GitHub App credential.

type GitLabTokenData 

type GitLabTokenData struct {
	Token string `json:"token"`
}

GitLabTokenData represents the decrypted data for a GitLab token credential.

type ListInput 

type ListInput struct {
	TenantID       shared.ID
	CredentialType *CredentialType
	Page           int
	PageSize       int
	SortBy         string
	SortOrder      string
}

ListInput contains parameters for listing credentials.

type ListOutput 

type ListOutput struct {
	Items      []*Credential
	TotalCount int
}

ListOutput contains the result of listing credentials.

type Repository 

type Repository interface {
	// Create persists a new credential.
	Create(ctx context.Context, credential *Credential) error

	// GetByTenantAndID retrieves a credential by tenant and ID.
	// This is the primary method for fetching credentials as it enforces tenant isolation.
	GetByTenantAndID(ctx context.Context, tenantID, id shared.ID) (*Credential, error)

	// GetByTenantAndName retrieves a credential by tenant and name.
	GetByTenantAndName(ctx context.Context, tenantID shared.ID, name string) (*Credential, error)

	// List lists credentials with pagination and filtering.
	List(ctx context.Context, input ListInput) (*ListOutput, error)

	// Update updates a credential.
	// Note: Implementations should validate tenant ownership before updating.
	Update(ctx context.Context, credential *Credential) error

	// DeleteByTenantAndID deletes a credential with tenant validation.
	DeleteByTenantAndID(ctx context.Context, tenantID, id shared.ID) error

	// UpdateLastUsedByTenantAndID updates only the last_used_at field with tenant validation.
	UpdateLastUsedByTenantAndID(ctx context.Context, tenantID, id shared.ID) error

	// CountByTenant counts credentials for a tenant.
	CountByTenant(ctx context.Context, tenantID shared.ID) (int, error)
}

Repository defines the interface for credential persistence.

type SSHKeyData 

type SSHKeyData struct {
	PrivateKey string `json:"private_key"`
	Passphrase string `json:"passphrase,omitempty"`
}

SSHKeyData represents the decrypted data for an SSH key credential.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.