secrets

package
v0.0.47 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 12, 2025 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package secrets contains the secrets management logic for ToolHive.

Index

Constants

View Source 
const (
	// PasswordEnvVar is the environment variable used to specify the password for encrypting and decrypting secrets.
	PasswordEnvVar = "TOOLHIVE_SECRETS_PASSWORD"

	// ProviderEnvVar is the environment variable used to specify the secrets provider type.
	ProviderEnvVar = "TOOLHIVE_SECRETS_PROVIDER"
)

Variables

View Source 
var Err1PasswordReadOnly = fmt.Errorf("1Password secrets manager is read-only, write operations are not supported")

Err1PasswordReadOnly indicates that the 1Password secrets manager is read-only. Is it returned by operations which attempt to change values in 1Password.

View Source 
var ErrUnknownManagerType = errors.New("unknown secret manager type")

ErrUnknownManagerType is returned when an invalid value for ProviderType is specified.

Functions

func GetSecretsPassword 

func GetSecretsPassword() ([]byte, error)

GetSecretsPassword returns the password to use for encrypting and decrypting secrets. It will attempt to retrieve it from the environment variable TOOLHIVE_SECRETS_PASSWORD. If the environment variable is not set, it will prompt the user to enter a password.

func ResetKeyringSecret 

func ResetKeyringSecret() error

ResetKeyringSecret clears out the secret from the keystore (if present).

func SecretParametersToCLI added in v0.0.34 

func SecretParametersToCLI(params []SecretParameter) []string

SecretParametersToCLI does the reverse of `ParseSecretParameter` TODO: It may be possible to get rid of this with refactoring.

Types

type EncryptedManager 

type EncryptedManager struct {
	// contains filtered or unexported fields
}

EncryptedManager stores secrets in an encrypted file. AES-256-GCM is used for encryption.

func (*EncryptedManager) Capabilities added in v0.0.43 

func (*EncryptedManager) Capabilities() ProviderCapabilities

Capabilities returns the capabilities of the encrypted provider.

func (*EncryptedManager) Cleanup 

func (e *EncryptedManager) Cleanup() error

Cleanup removes all secrets managed by this manager.

func (*EncryptedManager) DeleteSecret 

func (e *EncryptedManager) DeleteSecret(_ context.Context, name string) error

DeleteSecret removes a secret from the secret store.

func (*EncryptedManager) GetSecret 

func (e *EncryptedManager) GetSecret(_ context.Context, name string) (string, error)

GetSecret retrieves a secret from the secret store.

func (*EncryptedManager) ListSecrets 

func (e *EncryptedManager) ListSecrets(_ context.Context) ([]SecretDescription, error)

ListSecrets returns a list of all secret names stored in the manager.

func (*EncryptedManager) SetSecret 

func (e *EncryptedManager) SetSecret(_ context.Context, name, value string) error

SetSecret stores a secret in the secret store.

type NoneManager added in v0.0.44 

type NoneManager struct{}

NoneManager is a no-op secrets provider that doesn't store or retrieve secrets. It's designed for use in Kubernetes environments where secrets are provided as environment variables or file mounts, eliminating the need for interactive password prompts.

func (*NoneManager) Capabilities added in v0.0.44 

func (*NoneManager) Capabilities() ProviderCapabilities

Capabilities returns the capabilities of the none provider. The none provider is essentially read-only but doesn't actually read anything.

func (*NoneManager) Cleanup added in v0.0.44 

func (*NoneManager) Cleanup() error

Cleanup is a no-op for the none provider since there's nothing to clean up.

func (*NoneManager) DeleteSecret added in v0.0.44 

func (*NoneManager) DeleteSecret(_ context.Context, name string) error

DeleteSecret always returns an error indicating that the none provider doesn't support secret deletion.

func (*NoneManager) GetSecret added in v0.0.44 

func (*NoneManager) GetSecret(_ context.Context, name string) (string, error)

GetSecret always returns an error indicating that the none provider doesn't support secret retrieval.

func (*NoneManager) ListSecrets added in v0.0.44 

func (*NoneManager) ListSecrets(_ context.Context) ([]SecretDescription, error)

ListSecrets returns an empty list since the none provider doesn't store any secrets.

func (*NoneManager) SetSecret added in v0.0.44 

func (*NoneManager) SetSecret(_ context.Context, name, _ string) error

SetSecret always returns an error indicating that the none provider doesn't support secret storage.

type OnePasswordManager added in v0.0.32 

type OnePasswordManager struct {
	// contains filtered or unexported fields
}

OnePasswordManager manages secrets in 1Password.

func NewOnePasswordManagerWithClient added in v0.0.43 

func NewOnePasswordManagerWithClient(client clients.OnePasswordClient) *OnePasswordManager

NewOnePasswordManagerWithClient creates an instance of OnePasswordManager with a provided 1password client. This function is primarily intended for testing purposes.

func (*OnePasswordManager) Capabilities added in v0.0.43 

func (*OnePasswordManager) Capabilities() ProviderCapabilities

Capabilities returns the capabilities of the 1Password provider. Read-only provider with listing support.

func (*OnePasswordManager) Cleanup added in v0.0.32 

func (*OnePasswordManager) Cleanup() error

Cleanup is not needed for 1Password.

func (*OnePasswordManager) DeleteSecret added in v0.0.32 

func (*OnePasswordManager) DeleteSecret(_ context.Context, _ string) error

DeleteSecret is not supported for 1Password unless there is demand for it.

func (*OnePasswordManager) GetSecret added in v0.0.32 

func (o *OnePasswordManager) GetSecret(ctx context.Context, path string) (string, error)

GetSecret retrieves a secret from 1Password.

func (*OnePasswordManager) ListSecrets added in v0.0.32 

func (o *OnePasswordManager) ListSecrets(ctx context.Context) ([]SecretDescription, error)

ListSecrets lists the paths to the secrets in 1Password. 1Password has a hierarchy of vaults, items, and fields. Each secret is represented as a path in the format: op://<vault>/<item>/<field>

func (*OnePasswordManager) SetSecret added in v0.0.32 

func (*OnePasswordManager) SetSecret(_ context.Context, _, _ string) error

SetSecret is not supported for 1Password unless there is demand for it.

type Provider added in v0.0.32 

type Provider interface {
	GetSecret(ctx context.Context, name string) (string, error)
	SetSecret(ctx context.Context, name, value string) error
	DeleteSecret(ctx context.Context, name string) error
	ListSecrets(ctx context.Context) ([]SecretDescription, error)
	Cleanup() error
	// Capabilities returns what operations this provider supports
	Capabilities() ProviderCapabilities
}

Provider describes a type which can manage secrets.

func CreateSecretProvider added in v0.0.33 

func CreateSecretProvider(managerType ProviderType) (Provider, error)

CreateSecretProvider creates the specified type of secrets provider.

func NewEncryptedManager 

func NewEncryptedManager(filePath string, key []byte) (Provider, error)

NewEncryptedManager creates an instance of EncryptedManager.

func NewNoneManager added in v0.0.44 

func NewNoneManager() (Provider, error)

NewNoneManager creates an instance of NoneManager.

func NewOnePasswordManager added in v0.0.32 

func NewOnePasswordManager() (Provider, error)

NewOnePasswordManager creates an instance of OnePasswordManager.

type ProviderCapabilities added in v0.0.43 

type ProviderCapabilities struct {
	CanRead    bool
	CanWrite   bool
	CanDelete  bool
	CanList    bool
	CanCleanup bool
}

ProviderCapabilities represents what operations a secrets provider supports.

func (ProviderCapabilities) IsReadOnly added in v0.0.43 

func (pc ProviderCapabilities) IsReadOnly() bool

IsReadOnly returns true if the provider only supports read operations.

func (ProviderCapabilities) IsReadWrite added in v0.0.43 

func (pc ProviderCapabilities) IsReadWrite() bool

IsReadWrite returns true if the provider supports both read and write operations.

func (ProviderCapabilities) String added in v0.0.43 

func (pc ProviderCapabilities) String() string

String returns a human-readable description of the capabilities.

type ProviderType 

type ProviderType string

ProviderType represents an enum of the types of available secrets providers. 

const (
	// EncryptedType represents the encrypted secret provider.
	EncryptedType ProviderType = "encrypted"

	// OnePasswordType represents the 1Password secret provider.
	OnePasswordType ProviderType = "1password"

	// NoneType represents the none secret provider.
	NoneType ProviderType = "none"
)

type SecretDescription added in v0.0.43 

type SecretDescription struct {
	// Key is the unique identifier for the secret, used when retrieving it.
	Key string `json:"key"`
	// Description provides a human-readable description of the secret
	// Particularly useful for 1password.
	// May be empty if no description is available.
	Description string `json:"description"`
}

SecretDescription is returned by `ListSecrets`.

type SecretParameter 

type SecretParameter struct {
	Name   string `json:"name"`
	Target string `json:"target"`
}

SecretParameter represents a parsed `--secret` parameter.

func ParseSecretParameter 

func ParseSecretParameter(parameter string) (SecretParameter, error)

ParseSecretParameter creates an instance of SecretParameter from a string. Expected format: `<Name>,target=<Target>`.

Source Files

View all Source files

Directories

Path Synopsis
Package aes contains functions for encrypting and decrypting data using AES-GCM
 Package aes contains functions for encrypting and decrypting data using AES-GCM
Package clients contains code for connecting to secret provider APIs.
 Package clients contains code for connecting to secret provider APIs.
mocks
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.