root/golib
1
0
Fork 0
mirror of https://github.com/therootcompany/golib.git synced 2026-03-02 23:57:59 +00:00
Code Issues Projects Releases Wiki Activity

feat(auth/csvauth): make secrets non-printing

Browse Source
This commit is contained in:
AJ ONeal 2026-02-21 05:48:18 -07:00
parent af634f2175
commit dd48b2420b
No known key found for this signature in database
2 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
auth/csvauth/credential.go
View File

@ -19,11 +19,25 @@ const DefaultPurpose = "login"
type Purpose = string
type Name = string
type secretValue string
func (s secretValue) String() string {
return "[redacted]"
}
func (s secretValue) GoString() string {
return `"[redacted]"`
}
func (s secretValue) MarshalText() string {
return s.String()
}
// Credential represents a row in the CSV file
type Credential struct {
Purpose Purpose
Name Name
plain string
plain secretValue
Params []string
Salt []byte
Derived []byte
@ -32,7 +46,7 @@ type Credential struct {
}
func (c Credential) Secret() string {
return c.plain
return string(c.plain)
}
func FromRecord(record []string) (Credential, error) {
@ -94,7 +108,7 @@ func FromFields(purpose, name, paramList, saltBase64, derived, roleList, extra s
return credential, fmt.Errorf("invalid plain parameters %#v", credential.Params)
}
credential.plain = derived
credential.plain = secretValue(derived)
h := sha256.Sum256([]byte(derived))
credential.Derived = h[:]
case "pbkdf2":
@ -152,7 +166,7 @@ func (c Credential) ToRecord() []string {
derived = base64.RawURLEncoding.EncodeToString(c.Derived)
case "plain":
salt = ""
derived = c.plain
derived = string(c.plain)
case "pbkdf2":
salt = base64.RawURLEncoding.EncodeToString(c.Salt)
derived = base64.RawURLEncoding.EncodeToString(c.Derived)

9
auth/csvauth/csvauth.go
View File

@ -150,7 +150,7 @@ func (a *Auth) NewCredential(purpose, name, secret string, params []string, role
fmt.Fprintf(os.Stderr, "invalid plain algorithm format: %q\n", strings.Join(params, " "))
os.Exit(1)
}
c.plain = secret
c.plain = secretValue(secret)
c.Params = []string{"plain"}
h := sha256.Sum256([]byte(secret))
@ -171,7 +171,7 @@ func (a *Auth) NewCredential(purpose, name, secret string, params []string, role
var err error
var salt [12]byte
copy(salt[:], c.Salt)
c.plain = secret
c.plain = secretValue(secret)
c.Derived, err = gcmEncrypt(a.aes128key, salt, secret)
if err != nil {
fmt.Fprintf(os.Stderr, "could not aes-128-gcm encrypt secret: %v\n", err)
@ -332,12 +332,13 @@ func (a *Auth) LoadServiceAccount(purpose Purpose) (Credential, error) {
return c, nil
}
func (a *Auth) maybeDecryptCredential(c Credential) (string, error) {
func (a *Auth) maybeDecryptCredential(c Credential) (secretValue, error) {
switch c.Params[0] {
case "aes-128-gcm":
var salt [12]byte
copy(salt[:], c.Salt)
return a.gcmDecrypt(a.aes128key, salt, c.Derived)
plain, err := a.gcmDecrypt(a.aes128key, salt, c.Derived)
return secretValue(plain), err
default:
break
}