diff options
| author | Mike Crute <mike@crute.us> | 2023-02-28 20:02:58 -0800 |
|---|---|---|
| committer | Mike Crute <mike@crute.us> | 2023-02-28 20:02:58 -0800 |
| commit | 14a8d74efed00c13bd59e2ff9adc0b743803535d (patch) | |
| tree | 2642faa720d6103ed23c07ec60230cee0dd58a38 /secrets | |
| parent | 3c13745d23b7474b87346fb60903d4dec600fd34 (diff) | |
| download | golib-14a8d74efed00c13bd59e2ff9adc0b743803535d.tar.bz2 golib-14a8d74efed00c13bd59e2ff9adc0b743803535d.tar.xz golib-14a8d74efed00c13bd59e2ff9adc0b743803535d.zip | |
secrets: support encrypt/decryptsecrets/v0.4.0
Diffstat (limited to 'secrets')
| -rw-r--r-- | secrets/client.go | 2 | ||||
| -rw-r--r-- | secrets/config_file_client.go | 8 | ||||
| -rw-r--r-- | secrets/noop_client.go | 8 | ||||
| -rw-r--r-- | secrets/vault_client.go | 32 |
4 files changed, 50 insertions, 0 deletions
diff --git a/secrets/client.go b/secrets/client.go index aaa45d7..678a70d 100644 --- a/secrets/client.go +++ b/secrets/client.go | |||
| @@ -76,6 +76,8 @@ type Client interface { | |||
| 76 | AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error) | 76 | AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error) |
| 77 | AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error) | 77 | AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error) |
| 78 | WriteSecret(ctx context.Context, suffix string, out any) error | 78 | WriteSecret(ctx context.Context, suffix string, out any) error |
| 79 | Encrypt(ctx context.Context, suffix string, data []byte) (string, error) | ||
| 80 | Decrypt(ctx context.Context, suffix, data string) ([]byte, error) | ||
| 79 | Destroy(Handle) error | 81 | Destroy(Handle) error |
| 80 | MakeNonCritical(Handle) error | 82 | MakeNonCritical(Handle) error |
| 81 | } | 83 | } |
diff --git a/secrets/config_file_client.go b/secrets/config_file_client.go index ef2907e..b3c8620 100644 --- a/secrets/config_file_client.go +++ b/secrets/config_file_client.go | |||
| @@ -127,6 +127,14 @@ func (c *ConfigFileClient) WriteSecret(ctx context.Context, path string, in any) | |||
| 127 | return nil | 127 | return nil |
| 128 | } | 128 | } |
| 129 | 129 | ||
| 130 | func (c *ConfigFileClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error) { | ||
| 131 | return "", nil | ||
| 132 | } | ||
| 133 | |||
| 134 | func (c *ConfigFileClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error) { | ||
| 135 | return nil, nil | ||
| 136 | } | ||
| 137 | |||
| 130 | func (c *ConfigFileClient) Destroy(h Handle) error { | 138 | func (c *ConfigFileClient) Destroy(h Handle) error { |
| 131 | return nil | 139 | return nil |
| 132 | } | 140 | } |
diff --git a/secrets/noop_client.go b/secrets/noop_client.go index e727e51..1b6b72b 100644 --- a/secrets/noop_client.go +++ b/secrets/noop_client.go | |||
| @@ -54,6 +54,14 @@ func (c *NoopClient) WriteSecret(ctx context.Context, path string, in any) error | |||
| 54 | return nil | 54 | return nil |
| 55 | } | 55 | } |
| 56 | 56 | ||
| 57 | func (c *NoopClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error) { | ||
| 58 | return "", nil | ||
| 59 | } | ||
| 60 | |||
| 61 | func (c *NoopClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error) { | ||
| 62 | return nil, nil | ||
| 63 | } | ||
| 64 | |||
| 57 | func (c *NoopClient) Destroy(h Handle) error { | 65 | func (c *NoopClient) Destroy(h Handle) error { |
| 58 | return nil | 66 | return nil |
| 59 | } | 67 | } |
diff --git a/secrets/vault_client.go b/secrets/vault_client.go index b84b344..9d4b772 100644 --- a/secrets/vault_client.go +++ b/secrets/vault_client.go | |||
| @@ -3,6 +3,7 @@ package secrets | |||
| 3 | import ( | 3 | import ( |
| 4 | "container/heap" | 4 | "container/heap" |
| 5 | "context" | 5 | "context" |
| 6 | "encoding/base64" | ||
| 6 | "encoding/json" | 7 | "encoding/json" |
| 7 | "errors" | 8 | "errors" |
| 8 | "fmt" | 9 | "fmt" |
| @@ -436,6 +437,37 @@ func (c *VaultClient) WriteSecret(ctx context.Context, suffix string, in any) er | |||
| 436 | return nil | 437 | return nil |
| 437 | } | 438 | } |
| 438 | 439 | ||
| 440 | func (c *VaultClient) Encrypt(ctx context.Context, suffix string, data []byte) (string, error) { | ||
| 441 | s, err := c.logical.WriteWithContext( | ||
| 442 | ctx, | ||
| 443 | path.Join("transit/encrypt", suffix), | ||
| 444 | map[string]any{"plaintext": base64.StdEncoding.EncodeToString(data)}, | ||
| 445 | ) | ||
| 446 | if err != nil { | ||
| 447 | return "", fmt.Errorf("Encrypt: unable to write to vault: %w", err) | ||
| 448 | } | ||
| 449 | |||
| 450 | return s.Data["ciphertext"].(string), nil | ||
| 451 | } | ||
| 452 | |||
| 453 | func (c *VaultClient) Decrypt(ctx context.Context, suffix, data string) ([]byte, error) { | ||
| 454 | s, err := c.logical.WriteWithContext( | ||
| 455 | ctx, | ||
| 456 | path.Join("transit/decrypt", suffix), | ||
| 457 | map[string]any{"ciphertext": data}, | ||
| 458 | ) | ||
| 459 | if err != nil { | ||
| 460 | return nil, fmt.Errorf("Decrypt: unable to write to vault: %w", err) | ||
| 461 | } | ||
| 462 | |||
| 463 | d, err := base64.StdEncoding.DecodeString(s.Data["plaintext"].(string)) | ||
| 464 | if err != nil { | ||
| 465 | return nil, fmt.Errorf("Decrypt: unable to base64 decode plaintext: %w", err) | ||
| 466 | } | ||
| 467 | |||
| 468 | return d, nil | ||
| 469 | } | ||
| 470 | |||
| 439 | func (c *VaultClient) Destroy(h Handle) error { | 471 | func (c *VaultClient) Destroy(h Handle) error { |
| 440 | c.Lock() | 472 | c.Lock() |
| 441 | defer c.Unlock() | 473 | defer c.Unlock() |