common

package
v1.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 9, 2026 License: MIT Imports: 45 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SecretsAuthOwnerKeySigning = "owner-key-signing"
	SecretsAuthBrowser         = "browser"
)

Variables

This section is empty.

Functions

func CalculateDigest 

func CalculateDigest[I any](r jsonrpc2.Request[I]) ([32]byte, error)

func DeriveBundleFilename 

func DeriveBundleFilename(digest [32]byte) string

func EncryptSecret 

func EncryptSecret(secret, masterPublicKeyHex string, ownerAddress string) (string, error)

EncryptSecret encrypts for the owner-key / web3 flow using a 32-byte label derived from the EOA (12 zero bytes + 20-byte address).

func HexToBytes32 

func HexToBytes32(h string) ([32]byte, error)

func IsBrowserFlow added in v1.8.0 

func IsBrowserFlow(flow string) bool

IsBrowserFlow returns true when the browser (JWT) auth flow is selected.

func SaveBundle 

func SaveBundle(path string, b *UnsignedBundle) error

func ValidateSecretsAuthFlow added in v1.8.0 

func ValidateSecretsAuthFlow(flow, envName string) error

ValidateSecretsAuthFlow checks that the chosen auth flow is valid and allowed in the current environment. Browser flow is blocked in production.

Types

type GatewayClient 

type GatewayClient interface {
	Post(body []byte) (respBody []byte, status int, err error)
	// PostWithBearer sends the JSON-RPC body with Authorization: Bearer for the browser OAuth flow (no allowlist retries).
	PostWithBearer(body []byte, bearerToken string) (respBody []byte, status int, err error)
}

type HTTPClient 

type HTTPClient struct {
	URL           string
	Client        *http.Client
	RetryAttempts uint
	RetryDelay    time.Duration
}

func (*HTTPClient) Post 

func (g *HTTPClient) Post(body []byte) ([]byte, int, error)

func (*HTTPClient) PostWithBearer added in v1.8.2 

func (g *HTTPClient) PostWithBearer(body []byte, bearerToken string) ([]byte, int, error)

type Handler 

type Handler struct {
	Log             *zerolog.Logger
	ClientFactory   client.Factory
	SecretsFilePath string
	PrivateKey      *ecdsa.PrivateKey
	OwnerAddress    string
	EnvironmentSet  *environments.EnvironmentSet
	Gw              GatewayClient
	Wrc             *client.WorkflowRegistryV2Client
	Credentials     *credentials.Credentials
	Settings        *settings.Settings
}

func NewHandler 

func NewHandler(ctx *runtime.Context, secretsFilePath string) (*Handler, error)

NewHandler creates a new handler instance.

func (*Handler) EncryptSecrets 

func (h *Handler) EncryptSecrets(rawSecrets UpsertSecretsInputs) ([]*vault.EncryptedSecret, error)

EncryptSecrets takes the raw secrets and encrypts them, returning pointers. When SecretsOrgOwned is enabled, uses SHA256(orgID) as the TDH2 label and orgID as the owner. Otherwise, uses the workflow owner address left-padded to 32 bytes as the TDH2 label.

func (*Handler) EncryptSecretsForBrowserOrg added in v1.8.0 

func (h *Handler) EncryptSecretsForBrowserOrg(rawSecrets UpsertSecretsInputs, orgID string) ([]*vault.EncryptedSecret, error)

EncryptSecretsForBrowserOrg encrypts secrets scoped to the signed-in organization (interactive sign-in flow). TDH2 label is SHA256(orgID); SecretIdentifier.Owner is the org id string. This is a separate binding from the owner-key path (EOA left-padded label + workflow owner address); both remain supported via their respective entrypoints.

func (*Handler) EnsureDeploymentRPCForOwnerKeySecrets added in v1.8.0 

func (h *Handler) EnsureDeploymentRPCForOwnerKeySecrets() error

EnsureDeploymentRPCForOwnerKeySecrets checks project settings for an RPC URL on the workflow registry chain (owner-key / allowlist flows only).

func (*Handler) EnsureOwnerLinkedOrFail 

func (h *Handler) EnsureOwnerLinkedOrFail() error

EnsureOwnerLinkedOrFail TODO this reuses the same logic as in autoLink.go which is tied to deploy; consider refactoring to avoid duplication

func (*Handler) Execute 

func (h *Handler) Execute(
	inputs UpsertSecretsInputs,
	method string,
	duration time.Duration,
	secretsAuth string,
) error

Execute implements secrets create and update from YAML (multisig bundle, owner-key with allowlist, or interactive org sign-in).

func (*Handler) ExecuteBrowserVaultAuthorization added in v1.8.1 

func (h *Handler) ExecuteBrowserVaultAuthorization(ctx context.Context, method string, digest [32]byte, requestBody []byte) error

ExecuteBrowserVaultAuthorization completes platform OAuth for a vault JSON-RPC digest (create/update/delete/list), then POSTs the same request body to the gateway with the vault JWT in the Authorization header.

func (*Handler) LogMSIGNextSteps 

func (h *Handler) LogMSIGNextSteps(txData string, digest [32]byte, bundlePath string) error

func (*Handler) PackAllowlistRequestTxData 

func (h *Handler) PackAllowlistRequestTxData(reqDigest [32]byte, duration time.Duration) (string, error)

TODO: use TxType interface

func (*Handler) ParseVaultGatewayResponse 

func (h *Handler) ParseVaultGatewayResponse(method string, respBody []byte) error

ParseVaultGatewayResponse parses the JSON-RPC response, decodes the SignedOCRResponse payload into the appropriate proto type (CreateSecretsResponse, UpdateSecretsResponse, DeleteSecretsResponse), and logs one line per secret with id/owner/namespace/success/error.

func (*Handler) ResolveEffectiveOwner added in v1.10.0 

func (h *Handler) ResolveEffectiveOwner() (string, error)

ResolveEffectiveOwner returns the owner string to use for vault secret identifiers. When SecretsOrgOwned is enabled, the org ID (from auth validation) is used; otherwise, the workflow owner address is used.

func (*Handler) ResolveInputs 

func (h *Handler) ResolveInputs() (UpsertSecretsInputs, error)

ResolveInputs loads secrets from a YAML file. Errors if the path is not .yaml/.yml — MSIG step 2 is handled by `cre secrets execute`.

func (*Handler) ValidateInputs 

func (h *Handler) ValidateInputs(inputs UpsertSecretsInputs) error

ValidateInputs validates the input structure.

type MockClientFactory 

type MockClientFactory struct {
	mock.Mock
}

func (*MockClientFactory) GetSkipConfirmation 

func (m *MockClientFactory) GetSkipConfirmation() bool

func (*MockClientFactory) GetTxType 

func (m *MockClientFactory) GetTxType() client.TxType

func (*MockClientFactory) NewWorkflowRegistryV2Client 

func (m *MockClientFactory) NewWorkflowRegistryV2Client() (*client.WorkflowRegistryV2Client, error)

type SecretItem 

type SecretItem struct {
	ID        string `json:"id" validate:"required"`
	Value     string `json:"value" validate:"required"`
	Namespace string `json:"namespace"`
}

SecretItem represents a single secret with its ID, value, and optional namespace.

type SecretsYamlConfig 

type SecretsYamlConfig struct {
	SecretsNames map[string][]string `yaml:"secretsNames"`
}

type UnsignedBundle 

type UnsignedBundle struct {
	RequestID   string          `json:"request_id"`
	Method      string          `json:"method"`
	DigestHex   string          `json:"digest_hex"`
	RequestBody json.RawMessage `json:"request_body"`
	CreatedAt   time.Time       `json:"created_at"`
}

func LoadBundle 

func LoadBundle(path string) (*UnsignedBundle, error)

type UpsertSecretsInputs 

type UpsertSecretsInputs []SecretItem

UpsertSecretsInputs holds the secrets passed to the CLI.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.