Documentation
¶
Overview ¶
Package kms provides a unified KMS provider interface for MongoDB CSFLE. Implementations are in subpackages: aws, azure, gcp, local.
Example:
var p kms.Provider = aws.New(accessKey, secretKey, keyArn) creds := p.Credentials() defer p.Clear() // securely clear credentials
Index ¶
- Variables
- func HasCustomTLS(p Provider) bool
- func HasMasterKey(p Provider) bool
- func IsFullyFeatured(p Provider) bool
- func NewKeyLengthError(provider string, got, expected int) error
- func NewMissingCredentialError(provider, field string) error
- type CredentialError
- type Credentials
- type Key
- type KeyError
- type Provider
- type ValidationError
Constants ¶
This section is empty.
Variables ¶
var ( // ErrInvalidCredentials indicates that the provided credentials are invalid or incomplete ErrInvalidCredentials = errors.New("invalid credentials") // ErrInvalidKey indicates that the provided key is invalid or malformed ErrInvalidKey = errors.New("invalid key") // ErrConfigurationError indicates a configuration problem with the provider ErrConfigurationError = errors.New("configuration error") )
Base error categories for KMS operations
Functions ¶
func HasCustomTLS ¶
HasCustomTLS returns true if the provider requires custom TLS configuration
func HasMasterKey ¶
HasMasterKey returns true if the provider supports master key functionality
func IsFullyFeatured ¶
IsFullyFeatured returns true if the provider supports all optional features
func NewKeyLengthError ¶
NewKeyLengthError creates a ValidationError for invalid key length
func NewMissingCredentialError ¶
NewMissingCredentialError creates a ValidationError for missing credential fields
Types ¶
type CredentialError ¶
type CredentialError struct {
Provider string // Name of the provider
Operation string // The operation that failed (e.g., "retrieve", "store", "clear")
Reason string // Human-readable reason for the failure
Underlying error // Optional underlying error
}
CredentialError represents an error with credential handling
func (CredentialError) Error ¶
func (e CredentialError) Error() string
Error implements the error interface
func (CredentialError) Unwrap ¶
func (e CredentialError) Unwrap() error
Unwrap returns the underlying error
type Credentials ¶
Credentials is a map of provider name to a map of key name to value. It represents the authentication credentials for a KMS provider.
Example structure:
{
"aws": {
"accessKeyId": "AKIA...",
"secretAccessKey": "...",
"sessionToken": "..." // optional
}
}
type Key ¶
Key is a map of key name to value that represents a master key configuration for a KMS provider. The structure varies by provider.
Examples:
- AWS: {"key": "arn:aws:kms:region:account:key/key-id", "region": "us-east-1"}
- Azure: {"keyName": "mykey", "keyVaultEndpoint": "https://vault.vault.azure.net"}
- GCP: {"projectId": "my-project", "location": "global", "keyRing": "ring", "keyName": "key"}
type KeyError ¶
type KeyError struct {
Provider string // Name of the provider
Operation string // The operation that failed (e.g., "retrieve", "decrypt", "encrypt")
KeyID string // Identifier of the key (may be redacted)
Reason string // Human-readable reason for the failure
Underlying error // Optional underlying error
}
KeyError represents an error with key operations
type Provider ¶
type Provider interface {
// Core provider functionality (required)
Name() string
Credentials() Credentials
Clear()
// Optional functionality (can return nil if not supported)
MasterKey() Key // Returns nil if provider doesn't support master keys
TLSConfig() *tls.Config // Returns nil if provider doesn't need custom TLS
}
Provider represents a unified KMS provider interface. This interface replaces the complex hierarchy of Provider, MasterKey, TLSConfig, etc. All providers implement this single interface, using nil returns for unsupported features.
type ValidationError ¶
type ValidationError struct {
Provider string // Name of the provider where validation failed
Field string // Name of the field that failed validation
Value string // The invalid value (may be redacted for sensitive fields)
Reason string // Human-readable reason for the failure
}
ValidationError reports a field-level validation failure for a KMS provider. It wraps ErrConfigurationError via [Unwrap].
func (ValidationError) Error ¶
func (e ValidationError) Error() string
Error implements the error interface
func (ValidationError) Unwrap ¶
func (e ValidationError) Unwrap() error
Unwrap returns the underlying error category
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package kmsaws provides AWS KMS integration for MongoDB CSFLE.
|
Package kmsaws provides AWS KMS integration for MongoDB CSFLE. |
|
Package kmsazure provides Azure Key Vault integration for MongoDB CSFLE.
|
Package kmsazure provides Azure Key Vault integration for MongoDB CSFLE. |
|
Package factory creates kms.Provider instances from config.MongoKMS configuration, routing to the appropriate cloud or local KMS implementation (AWS, Azure, GCP, local).
|
Package factory creates kms.Provider instances from config.MongoKMS configuration, routing to the appropriate cloud or local KMS implementation (AWS, Azure, GCP, local). |
|
Package kmsgcp provides Google Cloud KMS integration for MongoDB CSFLE.
|
Package kmsgcp provides Google Cloud KMS integration for MongoDB CSFLE. |
|
Package kmslocal provides local key management for MongoDB CSFLE.
|
Package kmslocal provides local key management for MongoDB CSFLE. |