Documentation
¶
Overview ¶
Package vault provides a secure credential management system for the LLMreconing Tool.
Package vault provides a secure credential management system for the LLMreconing Tool.
Package vault provides a secure credential management system for the LLMreconing Tool.
Index ¶
- func GenerateCredentialID(service string, name string) string
- func InitDefaultAuditIntegration(configDir string, userIDProvider func() string) error
- func InitDefaultIntegration(configDir string, passphrase string, ...) error
- func InitDefaultManager(options ManagerOptions) error
- type AuditIntegration
- func (a *AuditIntegration) DeleteCredential(id string) error
- func (a *AuditIntegration) GetAPIKey(provider core.ProviderType) (string, error)
- func (a *AuditIntegration) GetCredential(id string) (*Credential, error)
- func (a *AuditIntegration) GetCredentialsWithAnomalousAccess(threshold int) ([]*Credential, error)
- func (a *AuditIntegration) GetUnusedCredentials(days int) ([]*Credential, error)
- func (a *AuditIntegration) RotateCredential(id string, newValue string) error
- func (a *AuditIntegration) SetAPIKey(provider core.ProviderType, apiKey string, description string) error
- func (a *AuditIntegration) StoreCredential(cred *Credential) error
- func (a *AuditIntegration) WrapManager()
- type ConfigIntegration
- type Credential
- type CredentialManager
- func (m *CredentialManager) Close() error
- func (m *CredentialManager) DeleteCredential(id string) error
- func (m *CredentialManager) GetAPIKey(providerType core.ProviderType) (string, error)
- func (m *CredentialManager) GetCredential(id string) (*Credential, error)
- func (m *CredentialManager) GetCredentialsNeedingRotation() ([]*Credential, error)
- func (m *CredentialManager) InstallGitHook() error
- func (m *CredentialManager) InstallGitHookInDir(customDir string) error
- func (m *CredentialManager) ListCredentials() ([]*Credential, error)
- func (m *CredentialManager) ListCredentialsByService(service string) ([]*Credential, error)
- func (m *CredentialManager) ListCredentialsByTag(tag string) ([]*Credential, error)
- func (m *CredentialManager) ListCredentialsByType(credType CredentialType) ([]*Credential, error)
- func (m *CredentialManager) LoadFromEnv() error
- func (m *CredentialManager) RotateCredential(id string, newValue string) error
- func (m *CredentialManager) SetAPIKey(providerType core.ProviderType, apiKey string, description string) error
- func (m *CredentialManager) StoreCredential(cred *Credential) error
- type CredentialType
- type ManagerOptions
- type RotationPolicy
- type SecureVault
- func (v *SecureVault) Close() error
- func (v *SecureVault) DeleteCredential(id string) error
- func (v *SecureVault) GetCredential(id string) (*Credential, error)
- func (v *SecureVault) GetCredentialsNeedingRotation() ([]*Credential, error)
- func (v *SecureVault) ListCredentials() ([]*Credential, error)
- func (v *SecureVault) ListCredentialsByService(service string) ([]*Credential, error)
- func (v *SecureVault) ListCredentialsByTag(tag string) ([]*Credential, error)
- func (v *SecureVault) ListCredentialsByType(credType CredentialType) ([]*Credential, error)
- func (v *SecureVault) RotateCredential(id string, newValue string) error
- func (v *SecureVault) Save() error
- func (v *SecureVault) StoreCredential(cred *Credential) error
- type VaultOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenerateCredentialID ¶
GenerateCredentialID generates a unique ID for a credential
func InitDefaultAuditIntegration ¶
InitDefaultAuditIntegration initializes the default audit integration
func InitDefaultIntegration ¶
func InitDefaultIntegration(configDir string, passphrase string, auditLogger *securityAudit.AuditLoggerAdapter) error
InitDefaultIntegration initializes the default configuration integration
func InitDefaultManager ¶
func InitDefaultManager(options ManagerOptions) error
InitDefaultManager initializes the default credential manager
Types ¶
type AuditIntegration ¶
type AuditIntegration struct {
// contains filtered or unexported fields
}
AuditIntegration integrates the credential manager with audit logging
var DefaultAuditIntegration *AuditIntegration
DefaultAuditIntegration is the default audit integration
func NewAuditIntegration ¶
func NewAuditIntegration(manager *CredentialManager, auditLogger *audit.CredentialAuditLogger) *AuditIntegration
NewAuditIntegration creates a new audit integration
func (*AuditIntegration) DeleteCredential ¶
func (a *AuditIntegration) DeleteCredential(id string) error
DeleteCredential wraps the original DeleteCredential method with audit logging
func (*AuditIntegration) GetAPIKey ¶
func (a *AuditIntegration) GetAPIKey(provider core.ProviderType) (string, error)
GetAPIKey wraps the original GetAPIKey method with audit logging
func (*AuditIntegration) GetCredential ¶
func (a *AuditIntegration) GetCredential(id string) (*Credential, error)
GetCredential wraps the original GetCredential method with audit logging
func (*AuditIntegration) GetCredentialsWithAnomalousAccess ¶
func (a *AuditIntegration) GetCredentialsWithAnomalousAccess(threshold int) ([]*Credential, error)
GetCredentialsWithAnomalousAccess returns credentials with anomalous access patterns
func (*AuditIntegration) GetUnusedCredentials ¶
func (a *AuditIntegration) GetUnusedCredentials(days int) ([]*Credential, error)
GetUnusedCredentials returns credentials that haven't been accessed in the specified duration
func (*AuditIntegration) RotateCredential ¶
func (a *AuditIntegration) RotateCredential(id string, newValue string) error
RotateCredential wraps the original RotateCredential method with audit logging
func (*AuditIntegration) SetAPIKey ¶
func (a *AuditIntegration) SetAPIKey(provider core.ProviderType, apiKey string, description string) error
SetAPIKey wraps the original SetAPIKey method with audit logging
func (*AuditIntegration) StoreCredential ¶
func (a *AuditIntegration) StoreCredential(cred *Credential) error
StoreCredential wraps the original StoreCredential method with audit logging
func (*AuditIntegration) WrapManager ¶
func (a *AuditIntegration) WrapManager()
WrapManager creates a proxy manager with audit logging
type ConfigIntegration ¶
type ConfigIntegration struct {
// contains filtered or unexported fields
}
ConfigIntegration integrates the secure vault with the existing configuration system
var DefaultIntegration *ConfigIntegration
DefaultIntegration is the default configuration integration
func NewConfigIntegration ¶
func NewConfigIntegration(credManager *CredentialManager, cfg *config.Config) *ConfigIntegration
NewConfigIntegration creates a new configuration integration
func (*ConfigIntegration) Initialize ¶
func (i *ConfigIntegration) Initialize() error
Initialize initializes the integration
func (*ConfigIntegration) SaveConfig ¶
func (i *ConfigIntegration) SaveConfig() error
SaveConfig saves the application configuration without sensitive data
func (*ConfigIntegration) SetupGitIgnore ¶
func (i *ConfigIntegration) SetupGitIgnore() error
SetupGitIgnore ensures that sensitive files are added to .gitignore
func (*ConfigIntegration) UpdateConfig ¶
func (i *ConfigIntegration) UpdateConfig() error
UpdateConfig updates the application configuration with credentials from the vault
type Credential ¶
type Credential struct {
// ID is a unique identifier for the credential
ID string `json:"id"`
// Name is a human-readable name for the credential
Name string `json:"name"`
// Type is the type of credential
Type CredentialType `json:"type"`
// Service is the service this credential is for (e.g., "openai", "anthropic")
Service string `json:"service"`
// Value is the actual credential value (encrypted when stored)
Value string `json:"value"`
// Description is an optional description of the credential
Description string `json:"description,omitempty"`
// Tags are optional tags for organizing credentials
Tags []string `json:"tags,omitempty"`
// Metadata is additional metadata for the credential
Metadata map[string]string `json:"metadata,omitempty"`
// RotationPolicy is the rotation policy for this credential
RotationPolicy *RotationPolicy `json:"rotation_policy,omitempty"`
// CreatedAt is when the credential was created
CreatedAt time.Time `json:"created_at"`
// UpdatedAt is when the credential was last updated
UpdatedAt time.Time `json:"updated_at"`
// ExpiresAt is when the credential expires (if applicable)
ExpiresAt time.Time `json:"expires_at,omitempty"`
// LastUsedAt is when the credential was last used
LastUsedAt time.Time `json:"last_used_at,omitempty"`
}
Credential represents a secure credential
type CredentialManager ¶
type CredentialManager struct {
// contains filtered or unexported fields
}
CredentialManager manages credentials for the application
var DefaultManager *CredentialManager
DefaultManager is the default credential manager
func NewCredentialManager ¶
func NewCredentialManager(options ManagerOptions) (*CredentialManager, error)
NewCredentialManager creates a new credential manager
func (*CredentialManager) Close ¶
func (m *CredentialManager) Close() error
Close closes the credential manager
func (*CredentialManager) DeleteCredential ¶
func (m *CredentialManager) DeleteCredential(id string) error
DeleteCredential deletes a credential by ID
func (*CredentialManager) GetAPIKey ¶
func (m *CredentialManager) GetAPIKey(providerType core.ProviderType) (string, error)
GetAPIKey gets an API key for a provider
func (*CredentialManager) GetCredential ¶
func (m *CredentialManager) GetCredential(id string) (*Credential, error)
GetCredential gets a credential by ID
func (*CredentialManager) GetCredentialsNeedingRotation ¶
func (m *CredentialManager) GetCredentialsNeedingRotation() ([]*Credential, error)
GetCredentialsNeedingRotation returns credentials that need rotation
func (*CredentialManager) InstallGitHook ¶
func (m *CredentialManager) InstallGitHook() error
InstallGitHook installs a git hook to prevent credential leakage
func (*CredentialManager) InstallGitHookInDir ¶
func (m *CredentialManager) InstallGitHookInDir(customDir string) error
InstallGitHookInDir installs a git hook in the specified directory or finds the git directory if empty
func (*CredentialManager) ListCredentials ¶
func (m *CredentialManager) ListCredentials() ([]*Credential, error)
ListCredentials lists all credentials
func (*CredentialManager) ListCredentialsByService ¶
func (m *CredentialManager) ListCredentialsByService(service string) ([]*Credential, error)
ListCredentialsByService lists credentials for a specific service
func (*CredentialManager) ListCredentialsByTag ¶
func (m *CredentialManager) ListCredentialsByTag(tag string) ([]*Credential, error)
ListCredentialsByTag lists credentials with a specific tag
func (*CredentialManager) ListCredentialsByType ¶
func (m *CredentialManager) ListCredentialsByType(credType CredentialType) ([]*Credential, error)
ListCredentialsByType lists credentials of a specific type
func (*CredentialManager) LoadFromEnv ¶
func (m *CredentialManager) LoadFromEnv() error
LoadFromEnv loads credentials from environment variables
func (*CredentialManager) RotateCredential ¶
func (m *CredentialManager) RotateCredential(id string, newValue string) error
RotateCredential rotates a credential
func (*CredentialManager) SetAPIKey ¶
func (m *CredentialManager) SetAPIKey(providerType core.ProviderType, apiKey string, description string) error
SetAPIKey sets an API key for a provider
func (*CredentialManager) StoreCredential ¶
func (m *CredentialManager) StoreCredential(cred *Credential) error
StoreCredential stores a credential
type CredentialType ¶
type CredentialType string
CredentialType represents the type of credential
const ( // APIKeyCredential represents an API key credential APIKeyCredential CredentialType = "api_key" // TokenCredential represents a token credential TokenCredential CredentialType = "token" // UsernamePasswordCredential represents a username/password credential UsernamePasswordCredential CredentialType = "username_password" // CertificateCredential represents a certificate credential CertificateCredential CredentialType = "certificate" )
type ManagerOptions ¶
type ManagerOptions struct {
// ConfigDir is the directory for configuration files
ConfigDir string
// Passphrase is used to derive the encryption key
Passphrase string
// EnvPrefix is the prefix for environment variables
EnvPrefix string
// AuditLogger is used for logging credential access
AuditLogger *securityAudit.AuditLoggerAdapter
// AutoSave determines whether to automatically save after changes
AutoSave bool
// RotationCheckInterval is how often to check for credentials that need rotation
RotationCheckInterval time.Duration
// InstallGitHook determines whether to install a git hook to prevent credential leakage
InstallGitHook bool
// GitDir is the custom git directory to use for git hook installation (for testing)
GitDir string
}
ManagerOptions contains options for creating a credential manager
type RotationPolicy ¶
type RotationPolicy struct {
// Enabled indicates whether automatic rotation is enabled
Enabled bool `json:"enabled"`
// IntervalDays is the number of days between rotations
IntervalDays int `json:"interval_days"`
// LastRotation is the timestamp of the last rotation
LastRotation time.Time `json:"last_rotation"`
// WarningDays is the number of days before expiration to start showing warnings
WarningDays int `json:"warning_days"`
}
RotationPolicy defines when credentials should be rotated
type SecureVault ¶
type SecureVault struct {
// contains filtered or unexported fields
}
SecureVault manages secure storage of credentials
func NewSecureVault ¶
func NewSecureVault(filePath string, options VaultOptions) (*SecureVault, error)
NewSecureVault creates a new secure vault
func (*SecureVault) Close ¶
func (v *SecureVault) Close() error
Close closes the vault and stops any background processes
func (*SecureVault) DeleteCredential ¶
func (v *SecureVault) DeleteCredential(id string) error
DeleteCredential deletes a credential by ID
func (*SecureVault) GetCredential ¶
func (v *SecureVault) GetCredential(id string) (*Credential, error)
GetCredential gets a credential by ID
func (*SecureVault) GetCredentialsNeedingRotation ¶
func (v *SecureVault) GetCredentialsNeedingRotation() ([]*Credential, error)
GetCredentialsNeedingRotation returns credentials that need rotation
func (*SecureVault) ListCredentials ¶
func (v *SecureVault) ListCredentials() ([]*Credential, error)
ListCredentials lists all credentials
func (*SecureVault) ListCredentialsByService ¶
func (v *SecureVault) ListCredentialsByService(service string) ([]*Credential, error)
ListCredentialsByService lists credentials for a specific service
func (*SecureVault) ListCredentialsByTag ¶
func (v *SecureVault) ListCredentialsByTag(tag string) ([]*Credential, error)
ListCredentialsByTag lists credentials with a specific tag
func (*SecureVault) ListCredentialsByType ¶
func (v *SecureVault) ListCredentialsByType(credType CredentialType) ([]*Credential, error)
ListCredentialsByType lists credentials of a specific type
func (*SecureVault) RotateCredential ¶
func (v *SecureVault) RotateCredential(id string, newValue string) error
RotateCredential marks a credential as rotated
func (*SecureVault) StoreCredential ¶
func (v *SecureVault) StoreCredential(cred *Credential) error
StoreCredential stores a credential
type VaultOptions ¶
type VaultOptions struct {
// Passphrase is used to derive the encryption key
Passphrase string
// AuditLogger is used for logging credential access
AuditLogger *securityAudit.AuditLoggerAdapter
// AutoSave determines whether to automatically save after changes
AutoSave bool
// RotationCheckInterval is how often to check for credentials that need rotation
RotationCheckInterval time.Duration
// AlertCallback is called when a credential needs rotation
AlertCallback func(credential *Credential, daysUntilExpiration int)
}
VaultOptions contains options for creating a new vault