auth

package

v0.1.0-beta.4 Latest Latest Go to latest Published: Jun 2, 2025 License: MIT Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/vaultenv/vaultenv-cli

Links

Open Source Insights

README ¶

VaultEnv Authentication System

This package provides password management and key derivation functionality for VaultEnv CLI.

Features

Secure Key Derivation: Uses Argon2id for password-based key derivation
Session Caching: Keys are cached for 15 minutes to improve UX
Zero-Knowledge: Server never has access to passwords or derived keys
Keystore Integration: Secure storage of salt and verification data
Environment Variable Support: CI/CD friendly with VAULTENV_PASSWORD
Import/Export: Backup and restore key configurations

Usage

Basic Setup

import (
    "github.com/vaultenv/vaultenv-cli/internal/auth"
    "github.com/vaultenv/vaultenv-cli/internal/keystore"
)

// Initialize keystore
ks, err := keystore.NewKeystore("/path/to/data/dir")
if err != nil {
    // handle error
}
defer ks.Close()

// Create password manager
pm := auth.NewPasswordManager(ks)

// Get or create master key for a project
key, err := pm.GetOrCreateMasterKey("my-project")
if err != nil {
    // handle error
}

// Use key for encryption/decryption
// ...

Environment Variable Support

For CI/CD environments, you can set the VAULTENV_PASSWORD environment variable:

export VAULTENV_PASSWORD="your-secure-password"
vaultenv get DATABASE_URL

Password Operations

// Change password for a project
err := pm.ChangePassword("my-project")

// Verify a password
err := pm.VerifyPassword("my-project", password)

// Export key configuration (for backup)
exportData, err := pm.ExportKey("my-project", password)

// Import key configuration (restore from backup)
err := pm.ImportKey("new-project", exportData, password)

Session Management

// Clear all cached keys
pm.ClearSessionCache()

// Clear cache for specific project
pm.ClearProjectCache("my-project")

Security Considerations

Password Requirements: Minimum 8 characters enforced
Key Derivation: Uses Argon2id with:
- Time cost: 3 iterations
- Memory cost: 64 MB
- Parallelism: 4 threads
- Output: 256-bit key
Salt Generation: 32 bytes of cryptographically secure random data
Verification: SHA-256 based verification hash stored separately
Session Cache: Keys expire after 15 minutes of inactivity

Integration with CLI Commands

See integration_example.go for examples of how to integrate the authentication system with Cobra commands.

Testing

Run tests with:

go test ./internal/auth -v

The test suite includes:

Key derivation tests
Salt generation tests
Session caching tests
Import/export functionality
Environment variable handling

Documentation ¶

Index ¶

Variables
func ExampleEnvironmentVariable(pm *PasswordManager, projectID string) error
func ExampleUsage()
type AuthenticatedCommand
- func (ac *AuthenticatedCommand) Execute() error
type PasswordManager
- func InitializeAuth(dataDir, projectID string) (*PasswordManager, error)
- func NewPasswordManager(ks *keystore.Keystore, cfg *config.Config) *PasswordManager

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrInvalidPassword    = errors.New("invalid password")
	ErrPasswordMismatch   = errors.New("passwords do not match")
	ErrPasswordTooShort   = errors.New("password must be at least 8 characters")
	ErrNoPasswordProvided = errors.New("no password provided")
)

Functions ¶

func ExampleEnvironmentVariable ¶

func ExampleEnvironmentVariable(pm *PasswordManager, projectID string) error

ExampleEnvironmentVariable shows how to use environment variable for CI/CD

func ExampleUsage ¶

func ExampleUsage()

ExampleUsage shows how to use the password manager in CLI commands

Types ¶

type AuthenticatedCommand ¶

type AuthenticatedCommand struct {
	// contains filtered or unexported fields
}

ExampleCLIIntegration shows how to integrate with Cobra commands

func (*AuthenticatedCommand) Execute ¶

func (ac *AuthenticatedCommand) Execute() error

type PasswordManager ¶

type PasswordManager struct {
	// contains filtered or unexported fields
}

PasswordManager handles password operations and key derivation

func InitializeAuth ¶

func InitializeAuth(dataDir, projectID string) (*PasswordManager, error)

InitializeAuth initializes the authentication system for a project

func NewPasswordManager ¶

func NewPasswordManager(ks *keystore.Keystore, cfg *config.Config) *PasswordManager

NewPasswordManager creates a new password manager instance

func (*PasswordManager) ChangeEnvironmentPassword ¶

func (pm *PasswordManager) ChangeEnvironmentPassword(environment string) error

ChangeEnvironmentPassword changes the password for a specific environment

func (*PasswordManager) ChangePassword ¶

func (pm *PasswordManager) ChangePassword(projectID string) error

ChangePassword changes the password for a project

func (*PasswordManager) ClearEnvironmentCache ¶

func (pm *PasswordManager) ClearEnvironmentCache(environment string)

ClearEnvironmentCache clears cached session key for a specific environment

func (*PasswordManager) ClearProjectCache ¶

func (pm *PasswordManager) ClearProjectCache(projectID string)

ClearProjectCache clears cached session key for a specific project

func (*PasswordManager) ClearSessionCache ¶

func (pm *PasswordManager) ClearSessionCache()

ClearSessionCache clears all cached session keys

func (*PasswordManager) DeriveKey ¶

func (pm *PasswordManager) DeriveKey(password string, salt []byte) []byte

DeriveKey derives an encryption key from a password using Argon2

func (*PasswordManager) ExportKey ¶

func (pm *PasswordManager) ExportKey(projectID string, password string) (string, error)

ExportKey exports the encryption key in a safe format for backup

func (*PasswordManager) GenerateSalt ¶

func (pm *PasswordManager) GenerateSalt() ([]byte, error)

GenerateSalt generates a new random salt

func (*PasswordManager) GetOrCreateEnvironmentKey ¶

func (pm *PasswordManager) GetOrCreateEnvironmentKey(environment string) ([]byte, error)

GetOrCreateEnvironmentKey gets the encryption key for a specific environment, creating it if necessary

func (*PasswordManager) GetOrCreateMasterKey ¶

func (pm *PasswordManager) GetOrCreateMasterKey(projectID string) ([]byte, error)

GetOrCreateMasterKey gets the master key for a project, creating it if necessary

func (*PasswordManager) GetPasswordFromEnv ¶

func (pm *PasswordManager) GetPasswordFromEnv() (string, bool)

GetPasswordFromEnv gets password from environment variable if set

func (*PasswordManager) ImportKey ¶

func (pm *PasswordManager) ImportKey(projectID string, exportData string, password string) error

ImportKey imports a key from export format

func (*PasswordManager) PromptEnvironmentPassword ¶

func (pm *PasswordManager) PromptEnvironmentPassword(environment, prompt string) (string, error)

PromptEnvironmentPassword prompts for a password for a specific environment

func (*PasswordManager) PromptNewEnvironmentPassword ¶

func (pm *PasswordManager) PromptNewEnvironmentPassword(environment string) (string, error)

PromptNewEnvironmentPassword prompts for a new password for an environment with policy validation

func (*PasswordManager) PromptNewPassword ¶

func (pm *PasswordManager) PromptNewPassword() (string, error)

PromptNewPassword prompts for a new password with confirmation

func (*PasswordManager) PromptPassword ¶

func (pm *PasswordManager) PromptPassword(prompt string) (string, error)

PromptPassword prompts the user for a password with the given prompt message

func (*PasswordManager) VerifyPassword ¶

func (pm *PasswordManager) VerifyPassword(projectID, password string) error

VerifyPassword verifies a password against stored key data

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL