Documentation
¶
Overview ¶
Package gemalto implements a key store that fetches/stores cryptographic keys on a Gemalto KeySecure instance.
Index ¶
- type Config
- type Credentials
- type Store
- func (s *Store) Close() error
- func (s *Store) Create(ctx context.Context, name string, value []byte) error
- func (s *Store) Delete(ctx context.Context, name string) error
- func (s *Store) Get(ctx context.Context, name string) ([]byte, error)
- func (s *Store) List(ctx context.Context, prefix string, n int) ([]string, string, error)
- func (s *Store) Set(ctx context.Context, name string, value []byte) error
- func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error)
- func (s *Store) String() string
- Bugs
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// Endpoint is the KeySecure instance endpoint.
Endpoint string
// CAPath is a path to the root CA certificate(s)
// used to verify the TLS certificate of the KeySecure
// instance. If empty, the host's root CA set is used.
CAPath string
// Login credentials are used to authenticate to the
// KeySecure instance and obtain a short-lived authentication
// token.
Login Credentials
}
Config is a structure containing configuration options for connecting to a KeySecure server.
type Credentials ¶
type Credentials struct {
Token string // The KeySecure refresh token
Domain string // The KeySecure domain - similar to a Vault Namespace
Retry time.Duration // The time to wait before trying to re-authenticate
}
Credentials represents a Gemalto KeySecure refresh token that can be used to obtain a short-lived authentication token.
A token is valid within either the default root domain (empty) or a specifc domain - e.g. my-domain.
type Store ¶ added in v0.23.0
type Store struct {
// contains filtered or unexported fields
}
Store is a Gemalto KeySecure secret store.
func (*Store) Close ¶ added in v0.23.0
Close closes the Store. It stops any authentication renewal in the background.
func (*Store) Create ¶ added in v0.23.0
Create creates the given key-value pair at Gemalto if and only if the given key does not exist. If such an entry already exists it returns kes.ErrKeyExists.
func (*Store) Delete ¶ added in v0.23.0
Delete removes a the value associated with the given key from Gemalto, if it exists.
func (*Store) Get ¶ added in v0.23.0
Get returns the value associated with the given key. If no entry for the key exists it returns kes.ErrKeyNotFound.
func (*Store) List ¶ added in v0.23.0
List returns a new Iterator over the names of all stored keys. List returns the first n key names, that start with the given prefix, and the next prefix from which the listing should continue.
It returns all keys with the prefix if n < 0 and less than n names if n is greater than the number of keys with the prefix.
An empty prefix matches any key name. At the end of the listing or when there are no (more) keys starting with the prefix, the returned prefix is empty
func (*Store) Set ¶ added in v0.23.0
Set creates the given key-value pair at Gemalto if and only if the given key does not exist. If such an entry already exists it returns kes.ErrKeyExists.
Notes ¶
Bugs ¶
The KeySecure server returns 404 NotFound if the secret does not exist but also when we are not allowed to access/delete the secret due to insufficient policy permissions. The reason for this is probably that a client should not be able to determine whether a particular secret exists (if the client has no access to it). Unfortunately, we cannot guarantee anymore that we actually deleted the secret. It could also be the case that we lost access (e.g. due to a policy change). So, in this case we don't return an error such that the client thinks it has deleted the secret successfully.
Source Files