vault

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2025 License: MIT Imports: 18 Imported by: 0

Documentation

Overview

Package vault provides a secure credential management system for the LLMreconing Tool.

Package vault provides a secure credential management system for the LLMreconing Tool.

Package vault provides a secure credential management system for the LLMreconing Tool.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateCredentialID

func GenerateCredentialID(service string, name string) string

GenerateCredentialID generates a unique ID for a credential

func InitDefaultAuditIntegration

func InitDefaultAuditIntegration(configDir string, userIDProvider func() string) error

InitDefaultAuditIntegration initializes the default audit integration

func InitDefaultIntegration

func InitDefaultIntegration(configDir string, passphrase string, auditLogger *securityAudit.AuditLoggerAdapter) error

InitDefaultIntegration initializes the default configuration integration

func InitDefaultManager

func InitDefaultManager(options ManagerOptions) error

InitDefaultManager initializes the default credential manager

Types

type AuditIntegration

type AuditIntegration struct {
	// contains filtered or unexported fields
}

AuditIntegration integrates the credential manager with audit logging

var DefaultAuditIntegration *AuditIntegration

DefaultAuditIntegration is the default audit integration

func NewAuditIntegration

func NewAuditIntegration(manager *CredentialManager, auditLogger *audit.CredentialAuditLogger) *AuditIntegration

NewAuditIntegration creates a new audit integration

func (*AuditIntegration) DeleteCredential

func (a *AuditIntegration) DeleteCredential(id string) error

DeleteCredential wraps the original DeleteCredential method with audit logging

func (*AuditIntegration) GetAPIKey

func (a *AuditIntegration) GetAPIKey(provider core.ProviderType) (string, error)

GetAPIKey wraps the original GetAPIKey method with audit logging

func (*AuditIntegration) GetCredential

func (a *AuditIntegration) GetCredential(id string) (*Credential, error)

GetCredential wraps the original GetCredential method with audit logging

func (*AuditIntegration) GetCredentialsWithAnomalousAccess

func (a *AuditIntegration) GetCredentialsWithAnomalousAccess(threshold int) ([]*Credential, error)

GetCredentialsWithAnomalousAccess returns credentials with anomalous access patterns

func (*AuditIntegration) GetUnusedCredentials

func (a *AuditIntegration) GetUnusedCredentials(days int) ([]*Credential, error)

GetUnusedCredentials returns credentials that haven't been accessed in the specified duration

func (*AuditIntegration) RotateCredential

func (a *AuditIntegration) RotateCredential(id string, newValue string) error

RotateCredential wraps the original RotateCredential method with audit logging

func (*AuditIntegration) SetAPIKey

func (a *AuditIntegration) SetAPIKey(provider core.ProviderType, apiKey string, description string) error

SetAPIKey wraps the original SetAPIKey method with audit logging

func (*AuditIntegration) StoreCredential

func (a *AuditIntegration) StoreCredential(cred *Credential) error

StoreCredential wraps the original StoreCredential method with audit logging

func (*AuditIntegration) WrapManager

func (a *AuditIntegration) WrapManager()

WrapManager creates a proxy manager with audit logging

type ConfigIntegration

type ConfigIntegration struct {
	// contains filtered or unexported fields
}

ConfigIntegration integrates the secure vault with the existing configuration system

var DefaultIntegration *ConfigIntegration

DefaultIntegration is the default configuration integration

func NewConfigIntegration

func NewConfigIntegration(credManager *CredentialManager, cfg *config.Config) *ConfigIntegration

NewConfigIntegration creates a new configuration integration

func (*ConfigIntegration) Initialize

func (i *ConfigIntegration) Initialize() error

Initialize initializes the integration

func (*ConfigIntegration) SaveConfig

func (i *ConfigIntegration) SaveConfig() error

SaveConfig saves the application configuration without sensitive data

func (*ConfigIntegration) SetupGitIgnore

func (i *ConfigIntegration) SetupGitIgnore() error

SetupGitIgnore ensures that sensitive files are added to .gitignore

func (*ConfigIntegration) UpdateConfig

func (i *ConfigIntegration) UpdateConfig() error

UpdateConfig updates the application configuration with credentials from the vault

type Credential

type Credential struct {
	// ID is a unique identifier for the credential
	ID string `json:"id"`
	// Name is a human-readable name for the credential
	Name string `json:"name"`
	// Type is the type of credential
	Type CredentialType `json:"type"`
	// Service is the service this credential is for (e.g., "openai", "anthropic")
	Service string `json:"service"`
	// Value is the actual credential value (encrypted when stored)
	Value string `json:"value"`
	// Description is an optional description of the credential
	Description string `json:"description,omitempty"`
	// Tags are optional tags for organizing credentials
	Tags []string `json:"tags,omitempty"`
	// Metadata is additional metadata for the credential
	Metadata map[string]string `json:"metadata,omitempty"`
	// RotationPolicy is the rotation policy for this credential
	RotationPolicy *RotationPolicy `json:"rotation_policy,omitempty"`
	// CreatedAt is when the credential was created
	CreatedAt time.Time `json:"created_at"`
	// UpdatedAt is when the credential was last updated
	UpdatedAt time.Time `json:"updated_at"`
	// ExpiresAt is when the credential expires (if applicable)
	ExpiresAt time.Time `json:"expires_at,omitempty"`
	// LastUsedAt is when the credential was last used
	LastUsedAt time.Time `json:"last_used_at,omitempty"`
}

Credential represents a secure credential

type CredentialManager

type CredentialManager struct {
	// contains filtered or unexported fields
}

CredentialManager manages credentials for the application

var DefaultManager *CredentialManager

DefaultManager is the default credential manager

func NewCredentialManager

func NewCredentialManager(options ManagerOptions) (*CredentialManager, error)

NewCredentialManager creates a new credential manager

func (*CredentialManager) Close

func (m *CredentialManager) Close() error

Close closes the credential manager

func (*CredentialManager) DeleteCredential

func (m *CredentialManager) DeleteCredential(id string) error

DeleteCredential deletes a credential by ID

func (*CredentialManager) GetAPIKey

func (m *CredentialManager) GetAPIKey(providerType core.ProviderType) (string, error)

GetAPIKey gets an API key for a provider

func (*CredentialManager) GetCredential

func (m *CredentialManager) GetCredential(id string) (*Credential, error)

GetCredential gets a credential by ID

func (*CredentialManager) GetCredentialsNeedingRotation

func (m *CredentialManager) GetCredentialsNeedingRotation() ([]*Credential, error)

GetCredentialsNeedingRotation returns credentials that need rotation

func (*CredentialManager) InstallGitHook

func (m *CredentialManager) InstallGitHook() error

InstallGitHook installs a git hook to prevent credential leakage

func (*CredentialManager) InstallGitHookInDir

func (m *CredentialManager) InstallGitHookInDir(customDir string) error

InstallGitHookInDir installs a git hook in the specified directory or finds the git directory if empty

func (*CredentialManager) ListCredentials

func (m *CredentialManager) ListCredentials() ([]*Credential, error)

ListCredentials lists all credentials

func (*CredentialManager) ListCredentialsByService

func (m *CredentialManager) ListCredentialsByService(service string) ([]*Credential, error)

ListCredentialsByService lists credentials for a specific service

func (*CredentialManager) ListCredentialsByTag

func (m *CredentialManager) ListCredentialsByTag(tag string) ([]*Credential, error)

ListCredentialsByTag lists credentials with a specific tag

func (*CredentialManager) ListCredentialsByType

func (m *CredentialManager) ListCredentialsByType(credType CredentialType) ([]*Credential, error)

ListCredentialsByType lists credentials of a specific type

func (*CredentialManager) LoadFromEnv

func (m *CredentialManager) LoadFromEnv() error

LoadFromEnv loads credentials from environment variables

func (*CredentialManager) RotateCredential

func (m *CredentialManager) RotateCredential(id string, newValue string) error

RotateCredential rotates a credential

func (*CredentialManager) SetAPIKey

func (m *CredentialManager) SetAPIKey(providerType core.ProviderType, apiKey string, description string) error

SetAPIKey sets an API key for a provider

func (*CredentialManager) StoreCredential

func (m *CredentialManager) StoreCredential(cred *Credential) error

StoreCredential stores a credential

type CredentialType

type CredentialType string

CredentialType represents the type of credential

const (
	// APIKeyCredential represents an API key credential
	APIKeyCredential CredentialType = "api_key"
	// TokenCredential represents a token credential
	TokenCredential CredentialType = "token"
	// UsernamePasswordCredential represents a username/password credential
	UsernamePasswordCredential CredentialType = "username_password"
	// CertificateCredential represents a certificate credential
	CertificateCredential CredentialType = "certificate"
)

type ManagerOptions

type ManagerOptions struct {
	// ConfigDir is the directory for configuration files
	ConfigDir string
	// Passphrase is used to derive the encryption key
	Passphrase string
	// EnvPrefix is the prefix for environment variables
	EnvPrefix string
	// AuditLogger is used for logging credential access
	AuditLogger *securityAudit.AuditLoggerAdapter
	// AutoSave determines whether to automatically save after changes
	AutoSave bool
	// RotationCheckInterval is how often to check for credentials that need rotation
	RotationCheckInterval time.Duration
	// InstallGitHook determines whether to install a git hook to prevent credential leakage
	InstallGitHook bool
	// GitDir is the custom git directory to use for git hook installation (for testing)
	GitDir string
}

ManagerOptions contains options for creating a credential manager

type RotationPolicy

type RotationPolicy struct {
	// Enabled indicates whether automatic rotation is enabled
	Enabled bool `json:"enabled"`
	// IntervalDays is the number of days between rotations
	IntervalDays int `json:"interval_days"`
	// LastRotation is the timestamp of the last rotation
	LastRotation time.Time `json:"last_rotation"`
	// WarningDays is the number of days before expiration to start showing warnings
	WarningDays int `json:"warning_days"`
}

RotationPolicy defines when credentials should be rotated

type SecureVault

type SecureVault struct {
	// contains filtered or unexported fields
}

SecureVault manages secure storage of credentials

func NewSecureVault

func NewSecureVault(filePath string, options VaultOptions) (*SecureVault, error)

NewSecureVault creates a new secure vault

func (*SecureVault) Close

func (v *SecureVault) Close() error

Close closes the vault and stops any background processes

func (*SecureVault) DeleteCredential

func (v *SecureVault) DeleteCredential(id string) error

DeleteCredential deletes a credential by ID

func (*SecureVault) GetCredential

func (v *SecureVault) GetCredential(id string) (*Credential, error)

GetCredential gets a credential by ID

func (*SecureVault) GetCredentialsNeedingRotation

func (v *SecureVault) GetCredentialsNeedingRotation() ([]*Credential, error)

GetCredentialsNeedingRotation returns credentials that need rotation

func (*SecureVault) ListCredentials

func (v *SecureVault) ListCredentials() ([]*Credential, error)

ListCredentials lists all credentials

func (*SecureVault) ListCredentialsByService

func (v *SecureVault) ListCredentialsByService(service string) ([]*Credential, error)

ListCredentialsByService lists credentials for a specific service

func (*SecureVault) ListCredentialsByTag

func (v *SecureVault) ListCredentialsByTag(tag string) ([]*Credential, error)

ListCredentialsByTag lists credentials with a specific tag

func (*SecureVault) ListCredentialsByType

func (v *SecureVault) ListCredentialsByType(credType CredentialType) ([]*Credential, error)

ListCredentialsByType lists credentials of a specific type

func (*SecureVault) RotateCredential

func (v *SecureVault) RotateCredential(id string, newValue string) error

RotateCredential marks a credential as rotated

func (*SecureVault) Save

func (v *SecureVault) Save() error

Save saves credentials to the file

func (*SecureVault) StoreCredential

func (v *SecureVault) StoreCredential(cred *Credential) error

StoreCredential stores a credential

type VaultOptions

type VaultOptions struct {
	// Passphrase is used to derive the encryption key
	Passphrase string
	// AuditLogger is used for logging credential access
	AuditLogger *securityAudit.AuditLoggerAdapter
	// AutoSave determines whether to automatically save after changes
	AutoSave bool
	// RotationCheckInterval is how often to check for credentials that need rotation
	RotationCheckInterval time.Duration
	// AlertCallback is called when a credential needs rotation
	AlertCallback func(credential *Credential, daysUntilExpiration int)
}

VaultOptions contains options for creating a new vault

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL