root/golib
1
0
Fork 0
mirror of https://github.com/therootcompany/golib.git synced 2026-03-02 23:57:59 +00:00
Code Issues Projects Releases Wiki Activity

feat(auth/csvauth): make secrets non-printing

Browse Source
This commit is contained in:
AJ ONeal 2026-02-21 05:48:18 -07:00
parent af634f2175
commit dd48b2420b
No known key found for this signature in database
2 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
auth/csvauth/credential.go
View File

@ -19,11 +19,25 @@ const DefaultPurpose = "login"
type Purpose = string type Purpose = string
type Name = string type Name = string
type secretValue string
func (s secretValue) String() string {
return "[redacted]"
}
func (s secretValue) GoString() string {
return `"[redacted]"`
}
func (s secretValue) MarshalText() string {
return s.String()
}
// Credential represents a row in the CSV file // Credential represents a row in the CSV file
type Credential struct { type Credential struct {
Purpose Purpose Purpose Purpose
Name Name Name Name
plain string plain secretValue
Params []string Params []string
Salt []byte Salt []byte
Derived []byte Derived []byte
@ -32,7 +46,7 @@ type Credential struct {
} }
func (c Credential) Secret() string { func (c Credential) Secret() string {
return c.plain return string(c.plain)
} }
func FromRecord(record []string) (Credential, error) { func FromRecord(record []string) (Credential, error) {
@ -94,7 +108,7 @@ func FromFields(purpose, name, paramList, saltBase64, derived, roleList, extra s
return credential, fmt.Errorf("invalid plain parameters %#v", credential.Params) return credential, fmt.Errorf("invalid plain parameters %#v", credential.Params)
} }
credential.plain = derived credential.plain = secretValue(derived)
h := sha256.Sum256([]byte(derived)) h := sha256.Sum256([]byte(derived))
credential.Derived = h[:] credential.Derived = h[:]
case "pbkdf2": case "pbkdf2":
@ -152,7 +166,7 @@ func (c Credential) ToRecord() []string {
derived = base64.RawURLEncoding.EncodeToString(c.Derived) derived = base64.RawURLEncoding.EncodeToString(c.Derived)
case "plain": case "plain":
salt = "" salt = ""
derived = c.plain derived = string(c.plain)
case "pbkdf2": case "pbkdf2":
salt = base64.RawURLEncoding.EncodeToString(c.Salt) salt = base64.RawURLEncoding.EncodeToString(c.Salt)
derived = base64.RawURLEncoding.EncodeToString(c.Derived) derived = base64.RawURLEncoding.EncodeToString(c.Derived)

9
auth/csvauth/csvauth.go
View File

@ -150,7 +150,7 @@ func (a *Auth) NewCredential(purpose, name, secret string, params []string, role
fmt.Fprintf(os.Stderr, "invalid plain algorithm format: %q\n", strings.Join(params, " ")) fmt.Fprintf(os.Stderr, "invalid plain algorithm format: %q\n", strings.Join(params, " "))
os.Exit(1) os.Exit(1)
} }
c.plain = secret c.plain = secretValue(secret)
c.Params = []string{"plain"} c.Params = []string{"plain"}
h := sha256.Sum256([]byte(secret)) h := sha256.Sum256([]byte(secret))
@ -171,7 +171,7 @@ func (a *Auth) NewCredential(purpose, name, secret string, params []string, role
var err error var err error
var salt [12]byte var salt [12]byte
copy(salt[:], c.Salt) copy(salt[:], c.Salt)
c.plain = secret c.plain = secretValue(secret)
c.Derived, err = gcmEncrypt(a.aes128key, salt, secret) c.Derived, err = gcmEncrypt(a.aes128key, salt, secret)
if err != nil { if err != nil {
fmt.Fprintf(os.Stderr, "could not aes-128-gcm encrypt secret: %v\n", err) fmt.Fprintf(os.Stderr, "could not aes-128-gcm encrypt secret: %v\n", err)
@ -332,12 +332,13 @@ func (a *Auth) LoadServiceAccount(purpose Purpose) (Credential, error) {
return c, nil return c, nil
} }
func (a *Auth) maybeDecryptCredential(c Credential) (string, error) { func (a *Auth) maybeDecryptCredential(c Credential) (secretValue, error) {
switch c.Params[0] { switch c.Params[0] {
case "aes-128-gcm": case "aes-128-gcm":
var salt [12]byte var salt [12]byte
copy(salt[:], c.Salt) copy(salt[:], c.Salt)
return a.gcmDecrypt(a.aes128key, salt, c.Derived) plain, err := a.gcmDecrypt(a.aes128key, salt, c.Derived)
return secretValue(plain), err
default: default:
break break
} }