Documentation
¶
Index ¶
- func SecretCreate(ctx context.Context, client SecretManagerClient, ...) error
- func SecretDelete(ctx context.Context, client SecretManagerClient, ...) error
- func SecretIamGet(ctx context.Context, client SecretManagerClient, secretName string) (map[string]string, error)
- func SecretIamSet(ctx context.Context, client SecretManagerClient, secretName string, ...) error
- func SecretRead(ctx context.Context, client SecretManagerClient, ...) ([]byte, error)
- func SecretUpdate(ctx context.Context, client SecretManagerClient, ...) error
- func SecretsAuthorizer(ctx context.Context, cfg *config.Config, client interface{}, ...) error
- type IamHandle
- type MockSecretClient
- func (m MockSecretClient) AccessSecretVersion(ctx context.Context, req *smpb.AccessSecretVersionRequest, ...) (*smpb.AccessSecretVersionResponse, error)
- func (m MockSecretClient) AddSecretVersion(ctx context.Context, req *smpb.AddSecretVersionRequest, ...) (*smpb.SecretVersion, error)
- func (m MockSecretClient) CreateSecret(ctx context.Context, req *smpb.CreateSecretRequest, options ...gax.CallOption) (*smpb.Secret, error)
- func (m MockSecretClient) DeleteSecret(ctx context.Context, req *smpb.DeleteSecretRequest, options ...gax.CallOption) error
- func (m MockSecretClient) Get(ctx context.Context, name string) (*iampb.Policy, error)
- func (m MockSecretClient) GetIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest, options ...gax.CallOption) (*iampb.Policy, error)
- func (m MockSecretClient) GetWithVersion(ctx context.Context, name string, version int32) (*iampb.Policy, error)
- func (m MockSecretClient) IAM(name string) *iam.Handle
- func (m MockSecretClient) ListSecrets(ctx context.Context, req *smpb.ListSecretsRequest, options ...gax.CallOption) *secretmanager.SecretIterator
- func (m MockSecretClient) Set(ctx context.Context, name string, policy *iampb.Policy) error
- func (m MockSecretClient) Test(ctx context.Context, value string, values []string) ([]string, error)
- type SecretEntry
- type SecretManagerClient
- type SecretRequest
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SecretCreate ¶
func SecretCreate(ctx context.Context, client SecretManagerClient, projectNumber, secretId string, valueBytes []byte) error
CREATE unit. Does not do auth by itself; use the RBAC module in concert
func SecretDelete ¶
func SecretDelete(ctx context.Context, client SecretManagerClient, projectNumber, secretId string) error
DELETE unit. Does not authorize. Use the RBAC module in concert with this
func SecretIamGet ¶
func SecretIamGet( ctx context.Context, client SecretManagerClient, secretName string) (map[string]string, error)
Secret IAM get unit. Retrieves IAM bindings for a secret. To be used in concert with RBAC module for authorization.
func SecretIamSet ¶
func SecretIamSet( ctx context.Context, client SecretManagerClient, secretName string, ownerUser, ownerGroup string, serviceAccounts []string) error
Set Secret IAM unit. Does not authorize; this grants permissions. Use the RBAC module in concert with this
bind IAM permissions to the secret: - secret accessor for default compute account - secret accessor for workload identity account(s) - secret accessor for the creator principal - secret accessor for a supplied owner group principal ...Create/Update/Delete will be allowed through the tool for any of these principals
this will let people see secrets in GCP console but they'll have to use app-control to C/U/D
func SecretRead ¶
func SecretRead( ctx context.Context, client SecretManagerClient, projectNumber, secretId string) ([]byte, error)
READ unit. Does not authorize; this grants permissions. Use the RBAC module in concert with this
func SecretUpdate ¶
func SecretUpdate(ctx context.Context, client SecretManagerClient, projectNumber, secretId string, valueBytes []byte) error
UPDATE unit. Does not authorize. Use the RBAC module in concert with this
func SecretsAuthorizer ¶
func SecretsAuthorizer( ctx context.Context, cfg *config.Config, client interface{}, principal config.PrincipalUrn, action config.Permission, target string) error
Types ¶
type IamHandle ¶
type IamHandle interface {
Policy(context.Context) (*iam.Policy, error)
SetPolicy(context.Context, *iam.Policy) error
TestPermissions(context.Context, []string) ([]string, error)
V3() *iam.Handle3
}
Generalized interface for the IAM methods we use in the API; allows client mocking
type MockSecretClient ¶
type MockSecretClient struct {
Name string
Value []byte
OwnerUser string
OwnerGroup string
SecretsList []*smpb.Secret
}
func (MockSecretClient) AccessSecretVersion ¶
func (m MockSecretClient) AccessSecretVersion( ctx context.Context, req *smpb.AccessSecretVersionRequest, options ...gax.CallOption) (*smpb.AccessSecretVersionResponse, error)
func (MockSecretClient) AddSecretVersion ¶
func (m MockSecretClient) AddSecretVersion( ctx context.Context, req *smpb.AddSecretVersionRequest, options ...gax.CallOption) (*smpb.SecretVersion, error)
func (MockSecretClient) CreateSecret ¶
func (m MockSecretClient) CreateSecret( ctx context.Context, req *smpb.CreateSecretRequest, options ...gax.CallOption) (*smpb.Secret, error)
func (MockSecretClient) DeleteSecret ¶
func (m MockSecretClient) DeleteSecret( ctx context.Context, req *smpb.DeleteSecretRequest, options ...gax.CallOption) error
func (MockSecretClient) GetIamPolicy ¶
func (m MockSecretClient) GetIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest, options ...gax.CallOption) (*iampb.Policy, error)
func (MockSecretClient) GetWithVersion ¶
func (MockSecretClient) ListSecrets ¶
func (m MockSecretClient) ListSecrets(ctx context.Context, req *smpb.ListSecretsRequest, options ...gax.CallOption) *secretmanager.SecretIterator
type SecretEntry ¶
type SecretEntry struct {
Urn string `json:"urn"`
// I don't think this code will be here in 290 years so int64 is probably fine
// as of 2024 the delivered precision from GCP is ms, this just honoring their aspirational precision format (ns, int64 + int32)
CreatedEpochNs int64 `json:"createdEpochNs"`
OwnerGroup string `json:"ownerGroup"`
OwnerUser string `json:"ownerUser"`
}
Abstraction for an app-control-api secret. Hides implementation details. Think before allowing them to leak in.
func SecretList ¶
func SecretList(ctx context.Context, client SecretManagerClient, projectNumber string) ([]SecretEntry, error)
LIST unit. Does not authorize or authenticate. Use authentication to guard this at a minimum.
type SecretManagerClient ¶
type SecretManagerClient interface {
AccessSecretVersion(context.Context, *smpb.AccessSecretVersionRequest, ...gax.CallOption) (*smpb.AccessSecretVersionResponse, error)
AddSecretVersion(context.Context, *smpb.AddSecretVersionRequest, ...gax.CallOption) (*smpb.SecretVersion, error)
CreateSecret(context.Context, *smpb.CreateSecretRequest, ...gax.CallOption) (*smpb.Secret, error)
DeleteSecret(context.Context, *smpb.DeleteSecretRequest, ...gax.CallOption) error
GetIamPolicy(context.Context, *iampb.GetIamPolicyRequest, ...gax.CallOption) (*iampb.Policy, error)
IAM(string) *iam.Handle
ListSecrets(context.Context, *smpb.ListSecretsRequest, ...gax.CallOption) *secretmanager.SecretIterator
}
Generalized interface for the SecretManager methods we use in the API; allows client mocking
type SecretRequest ¶
type SecretRequest struct {
Id string `json:"id"` // a secret name matching `^[a-zA-Z0-9-_]+$`; 255 byte max length
OwnerGroup string `json:"ownerGroup"` // just the plain email address
OwnerUser string `json:"ownerUser"` // just the plain email address
Value string `json:"value"` // expects b64-encoded bytes in a json string; decoded size limit is 64k bytes
}
Body format for an app-control-api secret request
Source Files
Click to show internal directories.
Click to hide internal directories.