fieldcrypt

package
v1.97.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 4, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package fieldcrypt provides AES-256-GCM encryption of sensitive fields within connection-config maps, plus the RestFieldEncryptor adapter used by sub-package stores (gateway OAuth tokens, PKCE state). It is a standalone package (not tied to *platform.Platform) so the at-rest encryption concern lives in one place and does not count against the platform package budget.

Index

Constants

View Source
const (
	// CfgKeySecretAccessKey is the S3 secret access key config-map key.
	CfgKeySecretAccessKey = "secret_access_key"

	// CfgKeyToken is the bearer/token config-map key.
	CfgKeyToken = "token"
)

Conventional config-map keys for sensitive fields. Defined as constants because the same literals appear in multiple call sites (encryption allowlist + per-toolkit config extraction) and a typo or rename would silently bypass at-rest encryption.

View Source
const CfgKeyPassword = "password"

CfgKeyPassword is the conventional config-map key for password fields.

View Source
const CfgKeyStaticHeaders = "static_headers"

CfgKeyStaticHeaders is the connection-config key whose value is a nested map[string]any of HTTP headers added to every outbound apigateway request. Exported so the toolkit and admin redaction share one canonical name. The inner values are encrypted at rest.

View Source
const KeyLength = 32

KeyLength is the required key length in bytes for AES-256.

Variables

This section is empty.

Functions

func SensitiveConfigKeyList

func SensitiveConfigKeyList() []string

SensitiveConfigKeyList returns a copy of the sensitive-key set as a slice for tests in other packages (e.g. pkg/admin) that assert their redaction list covers the encryption layer's set. Returning a copy keeps the underlying map private.

func SensitiveNestedMapKeyList

func SensitiveNestedMapKeyList() []string

SensitiveNestedMapKeyList returns the nested-map sensitive key set as a slice for cross-package tests (mirrors SensitiveConfigKeyList).

Types

type FieldEncryptor

type FieldEncryptor struct {
	// contains filtered or unexported fields
}

FieldEncryptor encrypts and decrypts sensitive fields within connection config maps. Uses AES-256-GCM with a random nonce per encryption. The encrypted value is stored as "enc:" + base64(nonce + ciphertext).

func NewFieldEncryptor

func NewFieldEncryptor(key []byte) (*FieldEncryptor, error)

NewFieldEncryptor creates an encryptor from a 32-byte (AES-256) key. The key should come from the ENCRYPTION_KEY environment variable. Returns nil if the key is empty (encryption disabled — values stored in plain text).

func (*FieldEncryptor) DecryptSensitiveFields

func (e *FieldEncryptor) DecryptSensitiveFields(config map[string]any) (map[string]any, error)

DecryptSensitiveFields returns a copy of the config map with sensitive field values decrypted. Non-sensitive fields and plain-text values are left unchanged. If the encryptor is nil, the original map is returned unchanged.

func (*FieldEncryptor) EncryptSensitiveFields

func (e *FieldEncryptor) EncryptSensitiveFields(config map[string]any) (map[string]any, error)

EncryptSensitiveFields returns a copy of the config map with sensitive field values encrypted. Non-sensitive fields and already-encrypted values are left unchanged. If the encryptor is nil, the original map is returned unchanged.

type RestFieldEncryptor

type RestFieldEncryptor struct {
	// contains filtered or unexported fields
}

RestFieldEncryptor adapts a FieldEncryptor to the generic Encrypt/Decrypt interface used by sub-package stores (gateway OAuth tokens, PKCE state, etc.) so every at-rest secret uses the same key, algorithm, and enc:base64(nonce|cipher) prefix as connection credentials.

Exported so consumers like main.go can pass it to constructors (e.g., pkcestore.NewPostgresStore) without importing internal platform types.

func NewRestFieldEncryptor

func NewRestFieldEncryptor(enc *FieldEncryptor) *RestFieldEncryptor

NewRestFieldEncryptor wraps a FieldEncryptor (which may be nil when encryption is disabled) as a RestFieldEncryptor.

func (*RestFieldEncryptor) Decrypt

func (g *RestFieldEncryptor) Decrypt(ciphertext string) (string, error)

Decrypt reverses Encrypt. Plaintext (no enc: prefix) is returned unchanged so legacy/unencrypted rows degrade gracefully.

func (*RestFieldEncryptor) Encrypt

func (g *RestFieldEncryptor) Encrypt(plaintext string) (string, error)

Encrypt wraps a string with the same enc:base64(nonce|cipher) prefix the field encryptor uses for sensitive config map values.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL