keystore

package

v0.0.0-...-50f8504 Latest Latest Go to latest Published: Jan 17, 2026 License: MIT Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/MadsRC/oar

Links

Open Source Insights

Documentation ¶

Index ¶

type HistoricalKeyInfo
type KeyStore
type KubernetesKeyStore
- func NewKubernetesKeyStore(clientset kubernetes.Interface, namespace string, ...) *KubernetesKeyStore
type KubernetesKeyStoreOption
- func WithLogger(logger *slog.Logger) KubernetesKeyStoreOption
type RotationManager
- func NewRotationManager(keyStore KeyStore, opts ...RotationManagerOption) *RotationManager
type RotationManagerOption
type RotationStatus
type SigningKey

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type HistoricalKeyInfo ¶

type HistoricalKeyInfo struct {
	KeyID     string
	CreatedAt time.Time
	ExpiresAt time.Time
	IsCurrent bool
}

HistoricalKeyInfo contains information about a historical key

type KeyStore ¶

type KeyStore interface {
	// GetCurrentKey returns the current active signing key
	GetCurrentKey(ctx context.Context) (*SigningKey, error)

	// GetKey retrieves a specific key by ID
	GetKey(ctx context.Context, keyID string) (*SigningKey, error)

	// ListKeys returns all available keys (current and historical)
	ListKeys(ctx context.Context) ([]*SigningKey, error)

	// RotateKey creates a new signing key and marks it as current
	RotateKey(ctx context.Context) (*SigningKey, error)

	// DeleteKey removes a key by ID (used to cleanup old keys after overlap period)
	DeleteKey(ctx context.Context, keyID string) error
}

KeyStore manages JWT signing keys with support for rotation

type KubernetesKeyStore ¶

type KubernetesKeyStore struct {
	// contains filtered or unexported fields
}

KubernetesKeyStore implements KeyStore using Kubernetes secrets

func NewKubernetesKeyStore ¶

func NewKubernetesKeyStore(clientset kubernetes.Interface, namespace string, opts ...KubernetesKeyStoreOption) *KubernetesKeyStore

NewKubernetesKeyStore creates a new Kubernetes-backed key store

func (*KubernetesKeyStore) DeleteKey ¶

func (ks *KubernetesKeyStore) DeleteKey(ctx context.Context, keyID string) error

DeleteKey removes a key by ID from storage

func (*KubernetesKeyStore) GetCurrentKey ¶

func (ks *KubernetesKeyStore) GetCurrentKey(ctx context.Context) (*SigningKey, error)

GetCurrentKey returns the current active signing key

func (*KubernetesKeyStore) GetKey ¶

func (ks *KubernetesKeyStore) GetKey(ctx context.Context, keyID string) (*SigningKey, error)

GetKey retrieves a specific key by ID

func (*KubernetesKeyStore) ListKeys ¶

func (ks *KubernetesKeyStore) ListKeys(ctx context.Context) ([]*SigningKey, error)

ListKeys returns all available keys (current and historical)

func (*KubernetesKeyStore) RotateKey ¶

func (ks *KubernetesKeyStore) RotateKey(ctx context.Context) (*SigningKey, error)

RotateKey creates a new signing key and marks it as current

type KubernetesKeyStoreOption ¶

type KubernetesKeyStoreOption func(*KubernetesKeyStore)

KubernetesKeyStoreOption is a functional option for KubernetesKeyStore

func WithLogger ¶

func WithLogger(logger *slog.Logger) KubernetesKeyStoreOption

WithLogger sets a custom logger

type RotationManager ¶

type RotationManager struct {
	// contains filtered or unexported fields
}

RotationManager handles key rotation logic

func NewRotationManager ¶

func NewRotationManager(keyStore KeyStore, opts ...RotationManagerOption) *RotationManager

NewRotationManager creates a new rotation manager

func (*RotationManager) CheckAndRotate ¶

func (rm *RotationManager) CheckAndRotate(ctx context.Context) (bool, error)

CheckAndRotate checks if the current key needs rotation and rotates if necessary Returns true if rotation was performed, false otherwise

func (*RotationManager) GetKeyRotationStatus ¶

func (rm *RotationManager) GetKeyRotationStatus(ctx context.Context) (*RotationStatus, error)

GetKeyRotationStatus returns information about the current key rotation status

func (*RotationManager) RotateKeyEmergency ¶

func (rm *RotationManager) RotateKeyEmergency(ctx context.Context) (*SigningKey, error)

RotateKeyEmergency performs an immediate key rotation regardless of age Use only in emergency situations (e.g., suspected key compromise)

type RotationManagerOption ¶

type RotationManagerOption func(*RotationManager)

RotationManagerOption is a functional option for RotationManager

func WithOverlapDuration ¶

func WithOverlapDuration(duration time.Duration) RotationManagerOption

WithOverlapDuration sets the overlap duration when old keys remain valid

func WithRotationDays ¶

func WithRotationDays(days int) RotationManagerOption

WithRotationDays sets the key rotation interval in days

func WithRotationLogger ¶

func WithRotationLogger(logger *slog.Logger) RotationManagerOption

WithRotationLogger sets a custom logger

type RotationStatus ¶

type RotationStatus struct {
	CurrentKeyID          string
	CurrentKeyCreatedAt   time.Time
	CurrentKeyExpiresAt   time.Time
	KeyAgeDays            int
	RotationThresholdDays int
	DaysUntilRotation     int
	IsRotationNeeded      bool
	OverlapDurationHours  int
	TotalKeysInStore      int
	HistoricalKeys        []HistoricalKeyInfo
}

RotationStatus contains information about the current rotation status

type SigningKey ¶

type SigningKey struct {
	KeyID      string            `json:"key_id"`
	PrivateKey *ecdsa.PrivateKey `json:"-"` // Never serialize private key
	PublicKey  *ecdsa.PublicKey  `json:"public_key"`
	CreatedAt  time.Time         `json:"created_at"`
	ExpiresAt  time.Time         `json:"expires_at"`
	IsCurrent  bool              `json:"is_current"`
}

SigningKey represents a JWT signing key with metadata

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL