secrets

package

v0.7.0 Latest Latest Go to latest Published: Jul 27, 2025 License: MPL-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/windsorcli/cli

Links

Open Source Insights

Documentation ¶

Index ¶

type BaseSecretsProvider
- func NewBaseSecretsProvider(injector di.Injector) *BaseSecretsProvider
type MockSecretsProvider
- func NewMockSecretsProvider(injector di.Injector) *MockSecretsProvider
type OnePasswordCLISecretsProvider
- func NewOnePasswordCLISecretsProvider(vault secretsConfigType.OnePasswordVault, injector di.Injector) *OnePasswordCLISecretsProvider
- func (s *OnePasswordCLISecretsProvider) GetSecret(key string) (string, error)
- func (s *OnePasswordCLISecretsProvider) ParseSecrets(input string) (string, error)
type OnePasswordSDKSecretsProvider
- func NewOnePasswordSDKSecretsProvider(vault secretsConfigType.OnePasswordVault, injector di.Injector) *OnePasswordSDKSecretsProvider
type SecretsProvider
type Shims
- func NewShims() *Shims
type SopsSecretsProvider
- func NewSopsSecretsProvider(configPath string, injector di.Injector) *SopsSecretsProvider

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type BaseSecretsProvider ¶

type BaseSecretsProvider struct {
	SecretsProvider
	// contains filtered or unexported fields
}

BaseSecretsProvider is a base implementation of the SecretsProvider interface

func NewBaseSecretsProvider ¶

func NewBaseSecretsProvider(injector di.Injector) *BaseSecretsProvider

NewBaseSecretsProvider creates a new BaseSecretsProvider instance

func (*BaseSecretsProvider) GetSecret ¶

func (s *BaseSecretsProvider) GetSecret(key string) (string, error)

GetSecret retrieves a secret value for the specified key

func (*BaseSecretsProvider) Initialize ¶

func (s *BaseSecretsProvider) Initialize() error

Initialize initializes the secrets provider

func (*BaseSecretsProvider) LoadSecrets ¶

func (s *BaseSecretsProvider) LoadSecrets() error

LoadSecrets loads the secrets from the specified path

func (*BaseSecretsProvider) ParseSecrets ¶

func (s *BaseSecretsProvider) ParseSecrets(input string) (string, error)

ParseSecrets is a placeholder function for parsing secrets

type MockSecretsProvider ¶

type MockSecretsProvider struct {
	BaseSecretsProvider
	InitializeFunc   func() error
	LoadSecretsFunc  func() error
	GetSecretFunc    func(key string) (string, error)
	ParseSecretsFunc func(input string) (string, error)
	UnlockFunc       func() error
}

MockSecretsProvider is a mock implementation of the SecretsProvider interface for testing purposes

func NewMockSecretsProvider ¶

func NewMockSecretsProvider(injector di.Injector) *MockSecretsProvider

NewMockSecretsProvider creates a new instance of MockSecretsProvider

func (*MockSecretsProvider) GetSecret ¶

func (m *MockSecretsProvider) GetSecret(key string) (string, error)

GetSecret calls the mock GetSecretFunc if set, otherwise returns an error indicating the secret was not found

func (*MockSecretsProvider) Initialize ¶

func (m *MockSecretsProvider) Initialize() error

Initialize calls the mock InitializeFunc if set, otherwise returns nil

func (*MockSecretsProvider) LoadSecrets ¶

func (m *MockSecretsProvider) LoadSecrets() error

LoadSecrets calls the mock LoadSecretsFunc if set, otherwise returns nil

func (*MockSecretsProvider) ParseSecrets ¶

func (m *MockSecretsProvider) ParseSecrets(input string) (string, error)

ParseSecrets calls the mock ParseSecretsFunc if set, otherwise returns the input unchanged

func (*MockSecretsProvider) Unlock ¶

func (m *MockSecretsProvider) Unlock() error

Unlock calls the mock UnlockFunc if set, otherwise returns nil

type OnePasswordCLISecretsProvider ¶

type OnePasswordCLISecretsProvider struct {
	*BaseSecretsProvider
	// contains filtered or unexported fields
}

OnePasswordCLISecretsProvider is a struct that implements the SecretsProvider interface using 1Password CLI.

func NewOnePasswordCLISecretsProvider ¶

func NewOnePasswordCLISecretsProvider(vault secretsConfigType.OnePasswordVault, injector di.Injector) *OnePasswordCLISecretsProvider

NewOnePasswordCLISecretsProvider creates a new OnePasswordCLISecretsProvider instance

func (*OnePasswordCLISecretsProvider) GetSecret ¶

func (s *OnePasswordCLISecretsProvider) GetSecret(key string) (string, error)

GetSecret retrieves a secret value for the given key using 1Password CLI. Registers the secret for shell scrubbing to prevent exposure in output. Executes the CLI directly to avoid leaking secrets before registration. If locked, returns a masked value. Key format: 'secret.field'. Returns the secret or error on failure.

func (*OnePasswordCLISecretsProvider) ParseSecrets ¶

func (s *OnePasswordCLISecretsProvider) ParseSecrets(input string) (string, error)

ParseSecrets identifies and replaces ${{ op.<id>.<secret>.<field> }} patterns in the input with corresponding secret values from 1Password, ensuring the id matches the vault ID.

type OnePasswordSDKSecretsProvider ¶ added in v0.5.7

type OnePasswordSDKSecretsProvider struct {
	*BaseSecretsProvider
	// contains filtered or unexported fields
}

OnePasswordSDKSecretsProvider is an implementation of the SecretsProvider interface that uses the 1Password SDK to manage secrets.

func NewOnePasswordSDKSecretsProvider ¶ added in v0.5.7

func NewOnePasswordSDKSecretsProvider(vault secretsConfigType.OnePasswordVault, injector di.Injector) *OnePasswordSDKSecretsProvider

NewOnePasswordSDKSecretsProvider creates a new OnePasswordSDKSecretsProvider instance

func (*OnePasswordSDKSecretsProvider) GetSecret ¶ added in v0.5.7

func (s *OnePasswordSDKSecretsProvider) GetSecret(key string) (string, error)

GetSecret retrieves a secret value for the specified key and automatically registers it with the shell for output scrubbing. It first checks if the provider is unlocked. If not, it returns a masked value. It then ensures the 1Password client is initialized using a service account token from the environment. The key is split into item and field parts, and the item name is sanitized. A secret reference URI is constructed and used to resolve the secret value from 1Password. If successful, the secret value is registered with the shell's scrubbing system and returned; otherwise, an error is reported.

func (*OnePasswordSDKSecretsProvider) Initialize ¶ added in v0.5.7

func (s *OnePasswordSDKSecretsProvider) Initialize() error

Initialize initializes the secrets provider

func (*OnePasswordSDKSecretsProvider) ParseSecrets ¶ added in v0.5.7

func (s *OnePasswordSDKSecretsProvider) ParseSecrets(input string) (string, error)

ParseSecrets identifies and replaces ${{ op.<id>.<secret>.<field> }} patterns in the input with corresponding secret values from 1Password, ensuring the id matches the vault ID.

type SecretsProvider ¶

type SecretsProvider interface {
	// Initialize initializes the secrets provider
	Initialize() error

	// LoadSecrets loads the secrets from the specified path
	LoadSecrets() error

	// GetSecret retrieves a secret value for the specified key
	GetSecret(key string) (string, error)

	// ParseSecrets parses a string and replaces ${{ secrets.<key> }} references with their values
	ParseSecrets(input string) (string, error)
}

SecretsProvider defines the interface for handling secrets operations

type Shims ¶ added in v0.5.7

type Shims struct {
	Stat                 func(string) (os.FileInfo, error)
	YAMLUnmarshal        func([]byte, any) error
	DecryptFile          func(string, string) ([]byte, error)
	NewOnePasswordClient func(context.Context, ...onepassword.ClientOption) (*onepassword.Client, error)
	ResolveSecret        func(*onepassword.Client, context.Context, string) (string, error)
	Command              func(name string, arg ...string) *exec.Cmd
	CmdOutput            func(cmd *exec.Cmd) ([]byte, error)
}

Shims provides mockable wrappers around system and runtime functions

func NewShims ¶ added in v0.5.7

func NewShims() *Shims

NewShims creates a new Shims instance with default implementations

type SopsSecretsProvider ¶

type SopsSecretsProvider struct {
	*BaseSecretsProvider
	// contains filtered or unexported fields
}

SopsSecretsProvider is a struct that implements the SecretsProvider interface using SOPS for decryption.

func NewSopsSecretsProvider ¶

func NewSopsSecretsProvider(configPath string, injector di.Injector) *SopsSecretsProvider

NewSopsSecretsProvider creates a new instance of SopsSecretsProvider.

func (*SopsSecretsProvider) GetSecret ¶

func (s *SopsSecretsProvider) GetSecret(key string) (string, error)

GetSecret retrieves a secret value for the specified key and automatically registers it with the shell for output scrubbing. If the provider is locked, it returns a masked value. When unlocked, it returns the actual secret value and registers it with the shell's scrubbing system to prevent accidental exposure in command output.

func (*SopsSecretsProvider) LoadSecrets ¶

func (s *SopsSecretsProvider) LoadSecrets() error

LoadSecrets loads and decrypts the secrets from the SOPS-encrypted file.

func (*SopsSecretsProvider) ParseSecrets ¶

func (s *SopsSecretsProvider) ParseSecrets(input string) (string, error)

ParseSecrets parses a string and replaces ${{ sops.<key> }} references with their values

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL