stackunwrap

package

v0.3.5 Latest Latest Go to latest Published: Jun 13, 2026 License: MIT Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/shareed2k/honey

Links

Open Source Insights

Documentation ¶

Overview ¶

Package stackunwrap unwraps stack data keys from secretsprovider URLs (KMS, keyring, age, etc.).

Index ¶

func DecodeKeyringMaterial(v string) ([]byte, error)
func EncodeKeyringMaterial(key []byte) (string, error)
type AWSKMS
type Age
type DataKeyUnwrapper
type GCPKMS
type K8s
type Keyring
type Registry
- func NewRegistry() *Registry
- func (r *Registry) Register(p DataKeyUnwrapper)
- func (r *Registry) Unwrap(ctx context.Context, providerURL, encryptedKey string) ([]byte, error)
type VaultTransit

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func DecodeKeyringMaterial ¶

func DecodeKeyringMaterial(v string) ([]byte, error)

DecodeKeyringMaterial reads a keyring value (base64 or legacy raw 32 bytes).

func EncodeKeyringMaterial ¶

func EncodeKeyringMaterial(key []byte) (string, error)

EncodeKeyringMaterial stores a stack data key as standard base64 for OS keyrings.

Types ¶

type AWSKMS ¶

type AWSKMS struct{}

AWSKMS unwraps a data key via awskms:// (encryptedkey is base64 ciphertext blob).

func (AWSKMS) Name ¶

func (AWSKMS) Name() string

Name implements DataKeyUnwrapper.

func (AWSKMS) Supports ¶

func (AWSKMS) Supports(providerURL string) bool

Supports implements DataKeyUnwrapper.

func (AWSKMS) Unwrap ¶

func (AWSKMS) Unwrap(ctx context.Context, _ string, encryptedKeyB64 string) ([]byte, error)

type Age ¶

type Age struct {
	IdentityFile string
}

Age unwraps a stack data key using age identities from identityFile. secretsprovider age:// — armored ciphertext in encryptedkey. secretsprovider age-file://path — ciphertext read from path (encryptedkey ignored).

func (Age) Name ¶

func (a Age) Name() string

Name implements DataKeyUnwrapper.

func (Age) Supports ¶

func (a Age) Supports(providerURL string) bool

Supports implements DataKeyUnwrapper.

func (Age) Unwrap ¶

func (a Age) Unwrap(ctx context.Context, providerURL, encryptedKey string) ([]byte, error)

type DataKeyUnwrapper ¶

type DataKeyUnwrapper interface {
	Name() string
	Supports(providerURL string) bool
	Unwrap(ctx context.Context, providerURL, encryptedKey string) ([]byte, error)
}

DataKeyUnwrapper unwraps a stack data key from defaults.secretsprovider + defaults.encryptedkey.

type GCPKMS ¶

type GCPKMS struct{}

GCPKMS unwraps a data key via gcpkms://projects/…/cryptoKeys/….

func (GCPKMS) Name ¶

func (GCPKMS) Name() string

Name implements DataKeyUnwrapper.

func (GCPKMS) Supports ¶

func (GCPKMS) Supports(providerURL string) bool

Supports implements DataKeyUnwrapper.

func (GCPKMS) Unwrap ¶

func (GCPKMS) Unwrap(ctx context.Context, providerURL, encryptedKeyB64 string) ([]byte, error)

type K8s ¶

type K8s struct{}

K8s loads the stack data key from a Kubernetes Secret data field. secretsprovider: k8s://namespace/secretName encryptedkey: data key name (value is raw 32 bytes or base64).

func (K8s) Name ¶

func (K8s) Name() string

Name implements DataKeyUnwrapper.

func (K8s) Supports ¶

func (K8s) Supports(providerURL string) bool

Supports implements DataKeyUnwrapper.

func (K8s) Unwrap ¶

func (K8s) Unwrap(ctx context.Context, providerURL, encryptedKey string) ([]byte, error)

type Keyring ¶

type Keyring struct{}

Keyring loads the stack data key from the OS credential store. secretsprovider: keyring://service/user (encryptedkey is ignored).

func (Keyring) Name ¶

func (Keyring) Name() string

Name implements DataKeyUnwrapper.

func (Keyring) Supports ¶

func (Keyring) Supports(providerURL string) bool

Supports implements DataKeyUnwrapper.

func (Keyring) Unwrap ¶

func (Keyring) Unwrap(_ context.Context, providerURL, _ string) ([]byte, error)

type Registry ¶

type Registry struct {
	// contains filtered or unexported fields
}

Registry dispatches stack data-key unwrap to registered providers.

func NewRegistry ¶

func NewRegistry() *Registry

NewRegistry returns an empty registry.

func (*Registry) Register ¶

func (r *Registry) Register(p DataKeyUnwrapper)

Register appends a provider (first match wins).

func (*Registry) Unwrap ¶

func (r *Registry) Unwrap(ctx context.Context, providerURL, encryptedKey string) ([]byte, error)

Unwrap selects a provider and returns the raw data key bytes.

type VaultTransit ¶

type VaultTransit struct{}

VaultTransit decrypts the stack data key via Vault Transit. secretsprovider: vault-transit://mount/keyName encryptedkey: transit ciphertext (vault:v1:… or raw).

func (VaultTransit) Name ¶

func (VaultTransit) Name() string

Name implements DataKeyUnwrapper.

func (VaultTransit) Supports ¶

func (VaultTransit) Supports(providerURL string) bool

Supports implements DataKeyUnwrapper.

func (VaultTransit) Unwrap ¶

func (VaultTransit) Unwrap(_ context.Context, providerURL, encryptedKey string) ([]byte, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL