-
Notifications
You must be signed in to change notification settings - Fork 5
/
secret.go
117 lines (98 loc) · 4.14 KB
/
secret.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
// Copyright 2020, Square, Inc.
package rotate
import (
"context"
"errors"
"math/rand"
"time"
)
// SecretSetter manages the user-specific secret value. Rotator has only one
// requirement for the secret: it is a JSON string with key-value pairs.
// When Rotator gets the secret, it unmarshals the secret string as JSON into
// the map[string]string and passes it to the interface methods.
//
// The secret value is user-defined. A suggested minimum value is:
//
// {
// "username": "foo",
// "password": "bar"
// }
//
// Using that value as an exmaple, the Rotate method would change "password"
// to rotate the password, and the Credentials method would return "foo", "bar".
//
// RandomPassword is used if no SecretSetter is specified in the Config passed
// to NewRotator.
type SecretSetter interface {
// Init is called before every Secrets Manager rotation step. Any user-specific
// initialization should be done.
Init(ctx context.Context, secret map[string]string) error
// Handler is called if the event is not from Secrets Manager (user-invoked
// password rotation). The event is user-defined data. After calling this method,
// the Lambda function is done and no other methods are called.
Handler(ctx context.Context, event map[string]string) (map[string]string, error)
// Rotate changes the password in the secret. The method is expected to modify
// the secret map. The caller (Rotator) passes the same map to Credentials to
// return the username and password to set on the databases.
Rotate(secret map[string]string) error
// Credentials returns the username and password to set on the databases.
Credentials(secret map[string]string) (username, password string)
}
const (
DEFAULT_PASSWORD_LENGTH = 20 // password character length for RandomPassword
)
// RandomPassword is the default SecretSetter used by Rotator is none is
// specified in the Config. It requires the secret value to have two JSON fields:
// username and password. Other fields are ignored. It sets a random password
// DEFAULT_PASSWORD_LENGTH characters long using these characters:
//
// ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-
//
// RandomPassword does not support Handler (user-invoked password rotation),
// it only supports rotation by Secrets Manager. The password generated by
// RandomPassword may be configured by setting either `PasswordLength` or
// `ValidCharset` on initialization
type RandomPassword struct {
// Options to configure the random password generated.
// PasswordLength defines the length of the password generated by RandomPassword.
// If not provided, DEFAULT_PASSWORD_LENGTH will be used
PasswordLength int
// ValidCharset defines the set of characters that random passwords generated
// by RandomPassword may contain.
// If not provided, the default charset
// ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-
// will be used.
ValidCharset []rune
}
var _ RandomPassword = RandomPassword{}
func (s RandomPassword) Init(context.Context, map[string]string) error {
return nil // nothing we need to do
}
func (s RandomPassword) Handler(context.Context, map[string]string) (map[string]string, error) {
return nil, errors.New("RandomPassword does not support user-invoked password rotation")
}
var chars = []rune("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-")
func (s RandomPassword) Rotate(secret map[string]string) error {
rand.Seed(time.Now().UnixNano())
// Use custom options for RandomPassword (if provided)
passwordLength := s.PasswordLength
if passwordLength == 0 {
passwordLength = DEFAULT_PASSWORD_LENGTH
}
charset := chars
if s.ValidCharset != nil {
charset = s.ValidCharset
}
// Make a `passwordLength` char random password containing characters from
// `charset`
newPassword := make([]rune, passwordLength)
for i := 0; i < passwordLength; i++ {
newPassword[i] = charset[rand.Intn(len(charset))]
}
secret["password"] = string(newPassword)
return nil
}
func (s RandomPassword) Credentials(secret map[string]string) (username, password string) {
// Our secret is really simple, just these fields:
return secret["username"], secret["password"]
}