secrets

package

v0.0.43 Latest Latest Go to latest Published: Jun 9, 2025 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/stacklok/toolhive

Links

Open Source Insights

Documentation ¶

Overview ¶

Package secrets contains the secrets management logic for ToolHive.

Index ¶

Constants
Variables
func GetSecretsPassword() ([]byte, error)
func ResetKeyringSecret() error
func SecretParametersToCLI(params []SecretParameter) []string
type EncryptedManager
type OnePasswordManager
- func NewOnePasswordManagerWithClient(client clients.OnePasswordClient) *OnePasswordManager
type Provider
type ProviderCapabilities
type ProviderType
type SecretDescription
type SecretParameter
- func ParseSecretParameter(parameter string) (SecretParameter, error)

Constants ¶

View Source

const (
	// PasswordEnvVar is the environment variable used to specify the password for encrypting and decrypting secrets.
	PasswordEnvVar = "TOOLHIVE_SECRETS_PASSWORD"

	// ProviderEnvVar is the environment variable used to specify the secrets provider type.
	ProviderEnvVar = "TOOLHIVE_SECRETS_PROVIDER"
)

Variables ¶

View Source

var Err1PasswordReadOnly = fmt.Errorf("1Password secrets manager is read-only, write operations are not supported")

Err1PasswordReadOnly indicates that the 1Password secrets manager is read-only. Is it returned by operations which attempt to change values in 1Password.

View Source

var ErrUnknownManagerType = errors.New("unknown secret manager type")

ErrUnknownManagerType is returned when an invalid value for ProviderType is specified.

Functions ¶

func GetSecretsPassword ¶

func GetSecretsPassword() ([]byte, error)

GetSecretsPassword returns the password to use for encrypting and decrypting secrets. It will attempt to retrieve it from the environment variable TOOLHIVE_SECRETS_PASSWORD. If the environment variable is not set, it will prompt the user to enter a password.

func ResetKeyringSecret ¶

func ResetKeyringSecret() error

ResetKeyringSecret clears out the secret from the keystore (if present).

func SecretParametersToCLI ¶ added in v0.0.34

func SecretParametersToCLI(params []SecretParameter) []string

SecretParametersToCLI does the reverse of `ParseSecretParameter` TODO: It may be possible to get rid of this with refactoring.

Types ¶

type EncryptedManager ¶

type EncryptedManager struct {
	// contains filtered or unexported fields
}

EncryptedManager stores secrets in an encrypted file. AES-256-GCM is used for encryption.

func (*EncryptedManager) Capabilities ¶ added in v0.0.43

func (*EncryptedManager) Capabilities() ProviderCapabilities

Capabilities returns the capabilities of the encrypted provider.

func (*EncryptedManager) Cleanup ¶

func (e *EncryptedManager) Cleanup() error

Cleanup removes all secrets managed by this manager.

func (*EncryptedManager) DeleteSecret ¶

func (e *EncryptedManager) DeleteSecret(_ context.Context, name string) error

DeleteSecret removes a secret from the secret store.

func (*EncryptedManager) GetSecret ¶

func (e *EncryptedManager) GetSecret(_ context.Context, name string) (string, error)

GetSecret retrieves a secret from the secret store.

func (*EncryptedManager) ListSecrets ¶

func (e *EncryptedManager) ListSecrets(_ context.Context) ([]SecretDescription, error)

ListSecrets returns a list of all secret names stored in the manager.

func (*EncryptedManager) SetSecret ¶

func (e *EncryptedManager) SetSecret(_ context.Context, name, value string) error

SetSecret stores a secret in the secret store.

type OnePasswordManager ¶ added in v0.0.32

type OnePasswordManager struct {
	// contains filtered or unexported fields
}

OnePasswordManager manages secrets in 1Password.

func NewOnePasswordManagerWithClient ¶ added in v0.0.43

func NewOnePasswordManagerWithClient(client clients.OnePasswordClient) *OnePasswordManager

NewOnePasswordManagerWithClient creates an instance of OnePasswordManager with a provided 1password client. This function is primarily intended for testing purposes.

func (*OnePasswordManager) Capabilities ¶ added in v0.0.43

func (*OnePasswordManager) Capabilities() ProviderCapabilities

Capabilities returns the capabilities of the 1Password provider. Read-only provider with listing support.

func (*OnePasswordManager) Cleanup ¶ added in v0.0.32

func (*OnePasswordManager) Cleanup() error

Cleanup is not needed for 1Password.

func (*OnePasswordManager) DeleteSecret ¶ added in v0.0.32

func (*OnePasswordManager) DeleteSecret(_ context.Context, _ string) error

DeleteSecret is not supported for 1Password unless there is demand for it.

func (*OnePasswordManager) GetSecret ¶ added in v0.0.32

func (o *OnePasswordManager) GetSecret(ctx context.Context, path string) (string, error)

GetSecret retrieves a secret from 1Password.

func (*OnePasswordManager) ListSecrets ¶ added in v0.0.32

func (o *OnePasswordManager) ListSecrets(ctx context.Context) ([]SecretDescription, error)

ListSecrets lists the paths to the secrets in 1Password. 1Password has a hierarchy of vaults, items, and fields. Each secret is represented as a path in the format: op://<vault>/<item>/<field>

func (*OnePasswordManager) SetSecret ¶ added in v0.0.32

func (*OnePasswordManager) SetSecret(_ context.Context, _, _ string) error

SetSecret is not supported for 1Password unless there is demand for it.

type Provider ¶ added in v0.0.32

type Provider interface {
	GetSecret(ctx context.Context, name string) (string, error)
	SetSecret(ctx context.Context, name, value string) error
	DeleteSecret(ctx context.Context, name string) error
	ListSecrets(ctx context.Context) ([]SecretDescription, error)
	Cleanup() error
	// Capabilities returns what operations this provider supports
	Capabilities() ProviderCapabilities
}

Provider describes a type which can manage secrets.

func CreateSecretProvider ¶ added in v0.0.33

func CreateSecretProvider(managerType ProviderType) (Provider, error)

CreateSecretProvider creates the specified type of secrets provider.

func NewEncryptedManager ¶

func NewEncryptedManager(filePath string, key []byte) (Provider, error)

NewEncryptedManager creates an instance of EncryptedManager.

func NewOnePasswordManager ¶ added in v0.0.32

func NewOnePasswordManager() (Provider, error)

NewOnePasswordManager creates an instance of OnePasswordManager.

type ProviderCapabilities ¶ added in v0.0.43

type ProviderCapabilities struct {
	CanRead    bool
	CanWrite   bool
	CanDelete  bool
	CanList    bool
	CanCleanup bool
}

ProviderCapabilities represents what operations a secrets provider supports.

func (ProviderCapabilities) IsReadOnly ¶ added in v0.0.43

func (pc ProviderCapabilities) IsReadOnly() bool

IsReadOnly returns true if the provider only supports read operations.

func (ProviderCapabilities) IsReadWrite ¶ added in v0.0.43

func (pc ProviderCapabilities) IsReadWrite() bool

IsReadWrite returns true if the provider supports both read and write operations.

func (ProviderCapabilities) String ¶ added in v0.0.43

func (pc ProviderCapabilities) String() string

String returns a human-readable description of the capabilities.

type ProviderType ¶

type ProviderType string

ProviderType represents an enum of the types of available secrets providers.

const (
	// EncryptedType represents the encrypted secret provider.
	EncryptedType ProviderType = "encrypted"

	// OnePasswordType represents the 1Password secret provider.
	OnePasswordType ProviderType = "1password"
)

type SecretDescription ¶ added in v0.0.43

type SecretDescription struct {
	// Key is the unique identifier for the secret, used when retrieving it.
	Key string `json:"key"`
	// Description provides a human-readable description of the secret
	// Particularly useful for 1password.
	// May be empty if no description is available.
	Description string `json:"description"`
}

SecretDescription is returned by `ListSecrets`.

type SecretParameter ¶

type SecretParameter struct {
	Name   string `json:"name"`
	Target string `json:"target"`
}

SecretParameter represents a parsed `--secret` parameter.

func ParseSecretParameter ¶

func ParseSecretParameter(parameter string) (SecretParameter, error)

ParseSecretParameter creates an instance of SecretParameter from a string. Expected format: `<Name>,target=<Target>`.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
aes Package aes contains functions for encrypting and decrypting data using AES-GCM	Package aes contains functions for encrypting and decrypting data using AES-GCM
clients Package clients contains code for connecting to secret provider APIs.	Package clients contains code for connecting to secret provider APIs.
mocks Package mocks is a generated GoMock package.	Package mocks is a generated GoMock package.
mocks Package mocks is a generated GoMock package.	Package mocks is a generated GoMock package.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL