Documentation
¶
Overview ¶
Package credentials provides credential management for the OpenCTEM SDK. It includes interfaces for credential storage and retrieval, with implementations for environment variables, files, and external vaults.
Index ¶
- Variables
- func GetValue(ctx context.Context, key string) (string, error)
- func SecureClear(cred *Credential)
- func SecureCompare(a, b string) bool
- func SetDefaultStore(store Store)
- func ValidateKey(key string) error
- func WithStore(ctx context.Context, store Store) context.Context
- type AESEncryptor
- type ChainedStore
- func (s *ChainedStore) Delete(ctx context.Context, key string) error
- func (s *ChainedStore) Exists(ctx context.Context, key string) (bool, error)
- func (s *ChainedStore) Get(ctx context.Context, key string) (*Credential, error)
- func (s *ChainedStore) List(ctx context.Context, prefix string) ([]string, error)
- func (s *ChainedStore) Set(ctx context.Context, key string, cred *Credential) error
- type Credential
- type CredentialType
- type EncryptedFileStore
- func (s *EncryptedFileStore) Delete(ctx context.Context, key string) error
- func (s *EncryptedFileStore) Exists(ctx context.Context, key string) (bool, error)
- func (s *EncryptedFileStore) Get(ctx context.Context, key string) (*Credential, error)
- func (s *EncryptedFileStore) List(ctx context.Context, prefix string) ([]string, error)
- func (s *EncryptedFileStore) Set(ctx context.Context, key string, cred *Credential) error
- type Encryptor
- type EnvStore
- func (s *EnvStore) Delete(ctx context.Context, key string) error
- func (s *EnvStore) Exists(ctx context.Context, key string) (bool, error)
- func (s *EnvStore) Get(ctx context.Context, key string) (*Credential, error)
- func (s *EnvStore) List(ctx context.Context, prefix string) ([]string, error)
- func (s *EnvStore) Set(ctx context.Context, key string, cred *Credential) error
- type FileStore
- func (s *FileStore) Delete(ctx context.Context, key string) error
- func (s *FileStore) Exists(ctx context.Context, key string) (bool, error)
- func (s *FileStore) Get(ctx context.Context, key string) (*Credential, error)
- func (s *FileStore) List(ctx context.Context, prefix string) ([]string, error)
- func (s *FileStore) Set(ctx context.Context, key string, cred *Credential) error
- type MemoryStore
- func (s *MemoryStore) Delete(ctx context.Context, key string) error
- func (s *MemoryStore) Exists(ctx context.Context, key string) (bool, error)
- func (s *MemoryStore) Get(ctx context.Context, key string) (*Credential, error)
- func (s *MemoryStore) List(ctx context.Context, prefix string) ([]string, error)
- func (s *MemoryStore) Set(ctx context.Context, key string, cred *Credential) error
- type Store
Constants ¶
This section is empty.
Variables ¶
var ( ErrCredentialNotFound = fmt.Errorf("credential not found") ErrReadOnly = fmt.Errorf("store is read-only") ErrInvalidCredential = fmt.Errorf("invalid credential") ErrInvalidKey = fmt.Errorf("invalid credential key") ErrEncryptionFailed = fmt.Errorf("encryption failed") ErrDecryptionFailed = fmt.Errorf("decryption failed") )
Common errors for credential operations.
Functions ¶
func SecureClear ¶
func SecureClear(cred *Credential)
SecureClear overwrites sensitive credential data with zeros. This helps prevent credential leakage through memory dumps. Note: Due to Go's string immutability, this may not fully clear all copies of the string data, but it clears the primary references.
func SecureCompare ¶
SecureCompare performs a constant-time comparison of two credential values. This prevents timing attacks when comparing secrets.
func SetDefaultStore ¶
func SetDefaultStore(store Store)
SetDefaultStore sets the global default credential store.
func ValidateKey ¶
ValidateKey checks if a credential key is valid and safe. Returns ErrInvalidKey if the key contains unsafe characters.
Types ¶
type AESEncryptor ¶
type AESEncryptor struct {
// contains filtered or unexported fields
}
AESEncryptor implements Encryptor using AES-GCM.
func NewAESEncryptor ¶
func NewAESEncryptor(key []byte) (*AESEncryptor, error)
NewAESEncryptor creates a new AES-GCM encryptor. Key must be 16, 24, or 32 bytes for AES-128, AES-192, or AES-256.
func NewAESEncryptorFromEnv ¶
func NewAESEncryptorFromEnv(envVar string) (*AESEncryptor, error)
NewAESEncryptorFromEnv creates an AES encryptor from an environment variable. The key should be base64-encoded.
type ChainedStore ¶
type ChainedStore struct {
// contains filtered or unexported fields
}
ChainedStore implements Store by checking multiple stores in order. Useful for layering local overrides on top of a central store.
func NewChainedStore ¶
func NewChainedStore(stores ...Store) *ChainedStore
NewChainedStore creates a new chained credential store. Stores are checked in order - first match wins.
func (*ChainedStore) Get ¶
func (s *ChainedStore) Get(ctx context.Context, key string) (*Credential, error)
func (*ChainedStore) Set ¶
func (s *ChainedStore) Set(ctx context.Context, key string, cred *Credential) error
type Credential ¶
type Credential struct {
// Key is the credential identifier
Key string `json:"key"`
// Type categorizes the credential (api_key, token, password, certificate, etc.)
Type CredentialType `json:"type"`
// Value is the actual credential value
Value string `json:"value"`
// SecondaryValue holds additional values (e.g., client_secret for OAuth)
SecondaryValue string `json:"secondary_value,omitempty"`
// Metadata holds additional credential information
Metadata map[string]string `json:"metadata,omitempty"`
// ExpiresAt is the credential expiration time (if applicable)
ExpiresAt *time.Time `json:"expires_at,omitempty"`
// CreatedAt is when the credential was stored
CreatedAt time.Time `json:"created_at"`
// UpdatedAt is when the credential was last updated
UpdatedAt time.Time `json:"updated_at"`
}
Credential represents a stored credential.
func Get ¶
func Get(ctx context.Context, key string) (*Credential, error)
Get retrieves a credential from the default store.
func MustGet ¶
func MustGet(ctx context.Context, key string) *Credential
MustGet retrieves a credential from the default store, panicking on error.
func (*Credential) IsExpired ¶
func (c *Credential) IsExpired() bool
IsExpired checks if the credential has expired.
type CredentialType ¶
type CredentialType string
CredentialType represents the type of credential.
const ( CredentialTypeAPIKey CredentialType = "api_key" CredentialTypeToken CredentialType = "token" CredentialTypePassword CredentialType = "password" CredentialTypeOAuth CredentialType = "oauth" CredentialTypeCertificate CredentialType = "certificate" CredentialTypeSSHKey CredentialType = "ssh_key" CredentialTypeSecret CredentialType = "secret" )
type EncryptedFileStore ¶
type EncryptedFileStore struct {
// contains filtered or unexported fields
}
EncryptedFileStore implements Store using an encrypted JSON file. This is a secure alternative to FileStore for storing credentials at rest.
func NewEncryptedFileStore ¶
func NewEncryptedFileStore(filePath string, encryptor Encryptor) (*EncryptedFileStore, error)
NewEncryptedFileStore creates a new encrypted file-based credential store.
func (*EncryptedFileStore) Delete ¶
func (s *EncryptedFileStore) Delete(ctx context.Context, key string) error
func (*EncryptedFileStore) Get ¶
func (s *EncryptedFileStore) Get(ctx context.Context, key string) (*Credential, error)
func (*EncryptedFileStore) Set ¶
func (s *EncryptedFileStore) Set(ctx context.Context, key string, cred *Credential) error
type Encryptor ¶
type Encryptor interface {
// Encrypt encrypts plaintext and returns ciphertext.
Encrypt(plaintext []byte) ([]byte, error)
// Decrypt decrypts ciphertext and returns plaintext.
Decrypt(ciphertext []byte) ([]byte, error)
}
Encryptor provides encryption/decryption for credential values.
type EnvStore ¶
type EnvStore struct {
// Prefix is prepended to all key lookups (e.g., "OPENCTEM_")
Prefix string
// Mapping overrides key-to-env-var mapping
Mapping map[string]string
}
EnvStore implements Store using environment variables. It's the simplest store implementation and suitable for CI/CD environments.
func NewEnvStore ¶
NewEnvStore creates a new environment variable credential store.
func NewEnvStoreWithMapping ¶
NewEnvStoreWithMapping creates a new environment store with custom mapping.
type FileStore ¶
type FileStore struct {
// contains filtered or unexported fields
}
FileStore implements Store using a JSON file. Suitable for local development, NOT recommended for production.
func NewFileStore ¶
NewFileStore creates a new file-based credential store.
type MemoryStore ¶
type MemoryStore struct {
// contains filtered or unexported fields
}
MemoryStore implements Store using in-memory storage. Useful for testing and development.
func NewMemoryStore ¶
func NewMemoryStore() *MemoryStore
NewMemoryStore creates a new in-memory credential store.
func (*MemoryStore) Get ¶
func (s *MemoryStore) Get(ctx context.Context, key string) (*Credential, error)
func (*MemoryStore) Set ¶
func (s *MemoryStore) Set(ctx context.Context, key string, cred *Credential) error
type Store ¶
type Store interface {
// Get retrieves a credential by key.
Get(ctx context.Context, key string) (*Credential, error)
// Set stores a credential.
Set(ctx context.Context, key string, cred *Credential) error
// Delete removes a credential.
Delete(ctx context.Context, key string) error
// List returns all credential keys matching a prefix.
List(ctx context.Context, prefix string) ([]string, error)
// Exists checks if a credential exists.
Exists(ctx context.Context, key string) (bool, error)
}
Store is the interface for credential storage and retrieval. Implement this interface to use custom credential backends (Vault, AWS Secrets Manager, etc.).
func GetDefaultStore ¶
func GetDefaultStore() Store
GetDefaultStore returns the global default credential store.
func StoreFromContext ¶
StoreFromContext returns the store from the context, or the default.
Source Files