stack

package

v0.3.5 Latest Latest Go to latest Published: Jun 13, 2026 License: MIT Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/shareed2k/honey

Links

Open Source Insights

Documentation ¶

Overview ¶

Package stack implements symmetric secure:v1 encryption for recipe secrets.

Index ¶

Constants
func DecryptSymmetricV1(key []byte, value string) (string, error)
func EncryptSymmetricV1(key []byte, plaintext string) (string, error)
func FormatSecureRef(key []byte, plaintext string) (string, error)
func NewDeferred(secretsProvider, encryptedKey string, reg *stackunwrap.Registry) ref.Backend
func NewStatic(key []byte) (ref.Backend, error)
func ValidateSecureRef(ref string) error
type DeferredSecure
type StaticDataKey
type UnwrapFunc

Constants ¶

View Source

const SymmetricKeyBytes = 32

SymmetricKeyBytes is the AES-256 key size for secure:v1.

Variables ¶

This section is empty.

Functions ¶

func DecryptSymmetricV1 ¶

func DecryptSymmetricV1(key []byte, value string) (string, error)

DecryptSymmetricV1 decrypts inner form "v1:<base64-nonce>:<base64-ciphertext>".

func EncryptSymmetricV1 ¶

func EncryptSymmetricV1(key []byte, plaintext string) (string, error)

EncryptSymmetricV1 encrypts plaintext with key; inner form is v1:<nonce-b64>:<ct-b64>.

func FormatSecureRef ¶

func FormatSecureRef(key []byte, plaintext string) (string, error)

FormatSecureRef returns a full recipe ref "secure:v1:…".

func NewDeferred ¶

func NewDeferred(secretsProvider, encryptedKey string, reg *stackunwrap.Registry) ref.Backend

NewDeferred returns a ref.Backend that unwraps secretsprovider/encryptedkey on first secure:… resolve.

func NewStatic ¶

func NewStatic(key []byte) (ref.Backend, error)

NewStatic returns a ref.Backend for secure: refs using key (must be SymmetricKeyBytes long).

func ValidateSecureRef ¶

func ValidateSecureRef(ref string) error

ValidateSecureRef checks recipe secret values are secure:v1:… with decodable segments.

Types ¶

type DeferredSecure ¶

type DeferredSecure struct {
	// contains filtered or unexported fields
}

DeferredSecure unwraps the stack data key on first secure:… resolution (lazy).

func (*DeferredSecure) Handles ¶

func (d *DeferredSecure) Handles(ref string) bool

Handles implements ref.Backend.

func (*DeferredSecure) Name ¶

func (*DeferredSecure) Name() string

Name implements ref.Backend.

func (*DeferredSecure) Resolve ¶

func (d *DeferredSecure) Resolve(ctx context.Context, ref string) (string, error)

Resolve implements ref.Backend.

type StaticDataKey ¶

type StaticDataKey struct {
	// contains filtered or unexported fields
}

StaticDataKey decrypts secure:v1:… using a fixed 32-byte key (tests; do not use in production).

func (StaticDataKey) Handles ¶

func (StaticDataKey) Handles(ref string) bool

Handles implements ref.Backend.

func (StaticDataKey) Name ¶

func (StaticDataKey) Name() string

Name implements ref.Backend.

func (*StaticDataKey) Resolve ¶

func (s *StaticDataKey) Resolve(ctx context.Context, ref string) (string, error)

Resolve implements ref.Backend.

type UnwrapFunc ¶

type UnwrapFunc func(ctx context.Context, providerURL, encryptedKey string) ([]byte, error)

UnwrapFunc unwraps secretsprovider + encryptedkey to raw stack key bytes.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL