secrets

package
v2.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 29, 2026 License: MIT Imports: 2 Imported by: 0

Documentation

Overview

Package secrets centralizes the small allow-lists Restish uses to recognize credential-bearing names at trust boundaries.

Index

Constants

This section is empty.

Variables

View Source 
var HeaderNames = map[string]bool{
	"Authorization":             true,
	"Cookie":                    true,
	"Api-Key":                   true,
	"Ocp-Apim-Subscription-Key": true,
	"Proxy-Authorization":       true,
	"Set-Cookie":                true,
	"X-Api-Key":                 true,
	"X-Api-Token":               true,
	"X-Auth-Token":              true,
	"X-Secret":                  true,
}

HeaderNames contains canonical HTTP header names that commonly carry credentials. Matching is exact after http.CanonicalHeaderKey.

View Source 
var JSONBodyKeys = map[string]bool{
	"access_token":        true,
	"refresh_token":       true,
	"id_token":            true,
	"token":               true,
	"api_key":             true,
	"apikey":              true,
	"client_secret":       true,
	"password":            true,
	"secret":              true,
	"assertion":           true,
	"authorization":       true,
	"cookie":              true,
	"proxy-authorization": true,
	"set-cookie":          true,
}

JSONBodyKeys contains lower-case JSON object keys that should be redacted in verbose body logging.

View Source 
var OAuthErrorBodyKeys = map[string]bool{
	"access_token":  true,
	"refresh_token": true,
	"id_token":      true,
	"token":         true,
	"client_secret": true,
	"password":      true,
	"assertion":     true,
}

OAuthErrorBodyKeys contains lower-case token endpoint error JSON keys that should be redacted before surfacing the response body. It intentionally does not include token_type.

View Source 
var QueryParamNames = map[string]bool{
	"access_token":     true,
	"refresh_token":    true,
	"id_token":         true,
	"token":            true,
	"api_key":          true,
	"apikey":           true,
	"client_secret":    true,
	"password":         true,
	"secret":           true,
	"subscription-key": true,
}

QueryParamNames contains lower-case query parameter names that commonly carry credentials. Matching is exact after strings.ToLower.

Functions

func IsHeaderName 

func IsHeaderName(name string) bool

func IsHeaderValue 

func IsHeaderValue(name, value string) bool

func IsJSONBodyKey 

func IsJSONBodyKey(name string) bool

func IsJSONBodyValue 

func IsJSONBodyValue(name, value string) bool

func IsOAuthErrorBodyKey 

func IsOAuthErrorBodyKey(name string) bool

func IsQueryParamName 

func IsQueryParamName(name string) bool

func IsQueryParamValue 

func IsQueryParamValue(name, value string) bool

func LooksSensitiveValue 

func LooksSensitiveValue(value string) bool

LooksSensitiveValue reports whether a value resembles an API key or token. It intentionally keeps common low-entropy values such as "testing" visible so ambiguous names like "key" can still be useful in verbose diagnostics.

func RedactDiagnosticText 

func RedactDiagnosticText(value string) string

RedactDiagnosticText removes common secret assignments from plugin stderr, verbose traces, and other diagnostic text that may be surfaced to users.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.