Documentation
¶
Overview ¶
Package fieldcrypt provides AES-256-GCM encryption of sensitive fields within connection-config maps, plus the RestFieldEncryptor adapter used by sub-package stores (gateway OAuth tokens, PKCE state). It is a standalone package (not tied to *platform.Platform) so the at-rest encryption concern lives in one place and does not count against the platform package budget.
Index ¶
Constants ¶
const ( // CfgKeySecretAccessKey is the S3 secret access key config-map key. CfgKeySecretAccessKey = "secret_access_key" // CfgKeyToken is the bearer/token config-map key. CfgKeyToken = "token" )
Conventional config-map keys for sensitive fields. Defined as constants because the same literals appear in multiple call sites (encryption allowlist + per-toolkit config extraction) and a typo or rename would silently bypass at-rest encryption.
const CfgKeyPassword = "password"
CfgKeyPassword is the conventional config-map key for password fields.
const CfgKeyStaticHeaders = "static_headers"
CfgKeyStaticHeaders is the connection-config key whose value is a nested map[string]any of HTTP headers added to every outbound apigateway request. Exported so the toolkit and admin redaction share one canonical name. The inner values are encrypted at rest.
const KeyLength = 32
KeyLength is the required key length in bytes for AES-256.
Variables ¶
This section is empty.
Functions ¶
func SensitiveConfigKeyList ¶
func SensitiveConfigKeyList() []string
SensitiveConfigKeyList returns a copy of the sensitive-key set as a slice for tests in other packages (e.g. pkg/admin) that assert their redaction list covers the encryption layer's set. Returning a copy keeps the underlying map private.
func SensitiveNestedMapKeyList ¶
func SensitiveNestedMapKeyList() []string
SensitiveNestedMapKeyList returns the nested-map sensitive key set as a slice for cross-package tests (mirrors SensitiveConfigKeyList).
Types ¶
type FieldEncryptor ¶
type FieldEncryptor struct {
// contains filtered or unexported fields
}
FieldEncryptor encrypts and decrypts sensitive fields within connection config maps. Uses AES-256-GCM with a random nonce per encryption. The encrypted value is stored as "enc:" + base64(nonce + ciphertext).
func NewFieldEncryptor ¶
func NewFieldEncryptor(key []byte) (*FieldEncryptor, error)
NewFieldEncryptor creates an encryptor from a 32-byte (AES-256) key. The key should come from the ENCRYPTION_KEY environment variable. Returns nil if the key is empty (encryption disabled — values stored in plain text).
func (*FieldEncryptor) DecryptSensitiveFields ¶
DecryptSensitiveFields returns a copy of the config map with sensitive field values decrypted. Non-sensitive fields and plain-text values are left unchanged. If the encryptor is nil, the original map is returned unchanged.
func (*FieldEncryptor) EncryptSensitiveFields ¶
EncryptSensitiveFields returns a copy of the config map with sensitive field values encrypted. Non-sensitive fields and already-encrypted values are left unchanged. If the encryptor is nil, the original map is returned unchanged.
type RestFieldEncryptor ¶
type RestFieldEncryptor struct {
// contains filtered or unexported fields
}
RestFieldEncryptor adapts a FieldEncryptor to the generic Encrypt/Decrypt interface used by sub-package stores (gateway OAuth tokens, PKCE state, etc.) so every at-rest secret uses the same key, algorithm, and enc:base64(nonce|cipher) prefix as connection credentials.
Exported so consumers like main.go can pass it to constructors (e.g., pkcestore.NewPostgresStore) without importing internal platform types.
func NewRestFieldEncryptor ¶
func NewRestFieldEncryptor(enc *FieldEncryptor) *RestFieldEncryptor
NewRestFieldEncryptor wraps a FieldEncryptor (which may be nil when encryption is disabled) as a RestFieldEncryptor.