README
¶
Launchr Keyring
Keyring is a launchr plugin and a service providing a password storage functionality encrypted with age. The storage is encrypted with a passphrase.
How to use
To add a new item with an interactive shell:
launchr login
If an interactive shell is not available, credentials may be provided with flags:
# Input passphrase directly
launchr login \
--url=https://your.gitlab.com \
--username=USER \
--password=SECRETPASSWORD \
--keyring-passphrase=YOURPASSHRPASE
# Get passphrase from a file
launchr login \
--url=https://your.gitlab.com \
--username=USER \
--password=SECRETPASSWORD \
--keyring-passphrase-file=/path/to/your/secret
To add a new key-value pair with an interactive shell:
launchr keyring:set your-key
It's possible to parse a user value and store it as a struct in a keyring. Supported formats are [string, yaml, json]:
launchr keyring:set your-key value
It's possible to parse a user value and store it as a struct in a keyring. Possible formats are [string, yaml, json]:
launchr keyring:set key --format yaml -- "- name: test-1
- name: test-2"
launchr keyring:set key --format yaml -- "$(cat file.yaml)"
launchr keyring:set key --format json -- '[
{
"name": "test-1"
},
{
"name": "test-2"
}
]'
launchr keyring:set key --format json -- "$(cat file.json)"
You can dynamically build JSON\YAML wit structures and pass them directly to the command: jq
# Define your variables
TOKEN1="abc123def456"
NAME1="production-api-key"
CREATED1="2025-01-15T10:30:00Z"
TOKEN2="xyz789uvw012"
NAME2="development-token"
CREATED2="2025-01-15T11:45:00Z"
EXPIRES2="2025-07-15T11:45:00Z"
launchr keyring:set api-tokens-json --format json -- "$(jq -n \
--arg t1 "$TOKEN1" --arg n1 "$NAME1" --arg c1 "$CREATED1" \
--arg t2 "$TOKEN2" --arg n2 "$NAME2" --arg c2 "$CREATED2" --arg e2 "$EXPIRES2" \
'[
{
tokenhash: $t1,
name: $n1,
created: $c1,
expires: null
},
{
tokenhash: $t2,
name: $n2,
created: $c2,
expires: $e2
}
]')"
yq using same variables:
launchr keyring:set api-tokens-yaml --format yaml -- "$(yq -n \
'.[0].tokenhash = env(TOKEN1) |
.[0].name = env(NAME1) |
.[0].created = env(CREATED1) |
.[0].expires = null |
.[1].tokenhash = env(TOKEN2) |
.[1].name = env(NAME2) |
.[1].created = env(CREATED2) |
.[1].expires = env(EXPIRES2)')"
Flags --keyring-passphrase and --keyring-passphrase-file are available for all launchr commands, for example:
launchr compose --keyring-passphrase=YOURPASSHRPASE
launchr compose --keyring-passphrase-file=/path/to/your/secret
These flags may be passed as environment variables LAUNCHR_KEYRING_PASSPHRASE and LAUNCHR_KEYRING_PASSPHRASE_FILE:
LAUNCHR_KEYRING_PASSPHRASE=YOURPASSHRPASE launchr compose
LAUNCHR_KEYRING_PASSPHRASE_FILE=/path/to/your/secret launchr compose
Flags and environment variables are taken in the following priority:
--keyring-passphraseLAUNCHR_KEYRING_PASSPHRASE--keyring-passphrase-fileLAUNCHR_KEYRING_PASSPHRASE_FILE
NB: If the binary is created with a specific app name like myappname, the variable name will change accordingly MYAPPNAME_KEYRING_PASSPHRASE_FILE.
Flag --keyring-passphrase-file will also set LAUNCHR_KEYRING_PASSPHRASE_FILE for subprocesses.
These environment variables are inherited in subprocesses.
Using --keyring-passphrase-file or LAUNCHR_KEYRING_PASSPHRASE_FILE is a preferred way to pass the secret because the secret won't be exposed.
To delete an item from the keyring:
launchr logout URL
launchr logout --all
The file is created in .launchr/keyring.yaml.age.
The content may be viewed/edited with age cli:
age -d .launchr/keyring.yaml.age
age -p .launchr/keyring.yaml > .launchr/keyring.yaml.age
In code
Add a module dependency:
go get -u github.com/launchrctl/keyring
To use the keyring in code, get the service from the app:
package main
import (
"github.com/launchrctl/keyring"
"github.com/launchrctl/launchr"
)
func GetPassword(app launchr.App, url string) (keyring.CredentialsItem, error) {
// Get the service by type from the app.
var k keyring.Keyring
app.Services().Get(k)
// Get by url. Error if the keyring could not be unlocked.
// Error keyring.ErrNotFound is returned if an item was not found.
creds, err := k.GetForURL(url)
if err != nil {
return keyring.CredentialsItem{}, err
}
return creds, nil
}
Include with launchr build:
launchr build -p github.com/launchrctl/keyring
Documentation
¶
Overview ¶
Package keyring provides password store functionality.
Index ¶
- Constants
- Variables
- func HandleGitCredential(k Keyring, op GitCredentialOp, in io.Reader, out io.Writer) error
- func RequestCredentialsFromTty(creds *CredentialsItem) error
- func RequestKeyValueFromTty(item *KeyValueItem) error
- func SetupGitCredentialHelper(global bool, urlPattern string, printer *launchr.Terminal) error
- type AskPass
- type AskPassConst
- type AskPassFirstAvailable
- type AskPassWithTerminal
- type CredentialsFile
- type CredentialsItem
- type DataStore
- type DeviceAuthResponse
- type GetCredentialProcessorOptions
- type GetKeyValueProcessorOptions
- type GitCredential
- type GitCredentialOp
- type KeyValueItem
- type Keyring
- type OAuthFlow
- func (f *OAuthFlow) AuthCodeFlow(ctx context.Context, printer *launchr.Terminal) (*oauth2.Token, error)
- func (f *OAuthFlow) DeviceAuth(ctx context.Context) (*DeviceAuthResponse, error)
- func (f *OAuthFlow) PollForToken(ctx context.Context, deviceCode string, interval int) (*oauth2.Token, error)
- func (f *OAuthFlow) RefreshToken(ctx context.Context, refreshToken string) (*oauth2.Token, error)
- type OIDCConfig
- type Plugin
- func (p *Plugin) CobraAddCommands(rootCmd *launchr.Command) error
- func (p *Plugin) DiscoverActions(_ context.Context) ([]*action.Action, error)
- func (p *Plugin) OnAppInit(app launchr.App) error
- func (p *Plugin) PersistentPreRun(cmd *launchr.Command, _ []string) error
- func (p *Plugin) PluginInfo() launchr.PluginInfo
- type SecretItem
Constants ¶
const ( AuthTypeBasic = "basic" AuthTypeOAuth = "oauth" )
Auth type constants.
Variables ¶
var ( ErrNotFound = errors.New("item not found") // ErrNotFound if an item was not found ErrEmptyFields = errors.New("item can't be empty") // ErrEmptyFields if fields are empty ErrEmptyPass = errors.New("passphrase can't be empty") // ErrEmptyPass if a passphrase is empty ErrKeyringMalformed = errors.New("the keyring is malformed") // ErrKeyringMalformed when keyring can't be read. ErrIncorrectPass = errors.New("the given passphrase is incorrect") // ErrIncorrectPass if a passphrase is incorrect )
Keyring errors.
Functions ¶
func HandleGitCredential ¶ added in v0.9.0
HandleGitCredential handles git credential helper operations.
func RequestCredentialsFromTty ¶ added in v0.1.1
func RequestCredentialsFromTty(creds *CredentialsItem) error
RequestCredentialsFromTty gets credentials from tty.
func RequestKeyValueFromTty ¶ added in v0.2.0
func RequestKeyValueFromTty(item *KeyValueItem) error
RequestKeyValueFromTty gets key-value pair from tty.
Types ¶
type AskPass ¶
type AskPass interface {
// GetPass retrieves a passphrase for auth.
GetPass() (string, error)
// NewPass requests for a new passphrase.
NewPass() (string, error)
}
AskPass defines basic interface to retrieve passphrase.
type AskPassConst ¶ added in v0.7.0
AskPassConst implements AskPass and returns constant.
func (AskPassConst) GetPass ¶ added in v0.7.0
func (a AskPassConst) GetPass() (string, error)
GetPass implements AskPass interface.
func (AskPassConst) NewPass ¶ added in v0.7.0
func (a AskPassConst) NewPass() (string, error)
NewPass implements AskPass interface.
type AskPassFirstAvailable ¶ added in v0.7.0
type AskPassFirstAvailable []AskPass
AskPassFirstAvailable tries a chain of AskPass and returns first available.
func (AskPassFirstAvailable) GetPass ¶ added in v0.7.0
func (a AskPassFirstAvailable) GetPass() (string, error)
GetPass implements AskPass interface.
func (AskPassFirstAvailable) NewPass ¶ added in v0.7.0
func (a AskPassFirstAvailable) NewPass() (string, error)
NewPass implements AskPass interface.
type AskPassWithTerminal ¶
type AskPassWithTerminal struct{}
AskPassWithTerminal implements AskPass and uses tty to retrieve passphrase. @todo support pipe and stdin
func (AskPassWithTerminal) GetPass ¶
func (a AskPassWithTerminal) GetPass() (string, error)
GetPass implements AskPass interface.
func (AskPassWithTerminal) NewPass ¶
func (a AskPassWithTerminal) NewPass() (string, error)
NewPass implements AskPass interface.
type CredentialsFile ¶
type CredentialsFile interface {
io.ReadWriteCloser
// Open opens a file in FS with flag open options and perm for file permissions if the file is new.
// See os.OpenFile for more info about flag and perm arguments.
Open(flag int, perm fs.FileMode) error
// Unlock decrypts a file if supported.
Unlock(askNew bool) error
// Lock makes it to request Unlock again.
Lock()
// Remove deletes a file from FS.
Remove() error
// Stat returns a [FileInfo] describing the named file.
// If there is an error, it will be of type [*PathError].
// See os.Stat().
Stat() (fs.FileInfo, error)
}
CredentialsFile is an interface to open and edit credentials file.
func NewAgeFile ¶ added in v0.7.0
func NewAgeFile(fname string, askPass AskPass) CredentialsFile
NewAgeFile creates a CredentialsFile to open a file encrypted with age.
func NewPlainFile ¶ added in v0.7.0
func NewPlainFile(fname string) CredentialsFile
NewPlainFile creates a CredentialsFile to open a plain file.
type CredentialsItem ¶
type CredentialsItem struct {
URL string `yaml:"url"`
Username string `yaml:"username"`
// AuthType distinguishes between "basic" and "oauth" credentials.
// Empty string is treated as "basic" for backward compatibility.
AuthType string `yaml:"auth_type,omitempty"`
// Basic auth fields
Password string `yaml:"password,omitempty"`
// OAuth fields
AccessToken string `yaml:"access_token,omitempty"`
RefreshToken string `yaml:"refresh_token,omitempty"`
ExpiresAt int64 `yaml:"expires_at,omitempty"`
Issuer string `yaml:"issuer,omitempty"`
TokenEndpoint string `yaml:"token_endpoint,omitempty"`
}
CredentialsItem stores credentials. Supports both basic auth (username/password) and OAuth (access_token/refresh_token).
func DoOAuthLogin ¶ added in v0.9.0
func DoOAuthLogin(ctx context.Context, baseURL string, printer *launchr.Terminal) (*CredentialsItem, error)
DoOAuthLogin performs OAuth authentication with the best available flow. It prefers Authorization Code flow (with browser) when available, falling back to Device Authorization flow for headless environments.
func RefreshCredentials ¶ added in v0.9.0
func RefreshCredentials(ctx context.Context, creds CredentialsItem) (*CredentialsItem, bool, error)
RefreshCredentials refreshes OAuth credentials if they are expired. Returns the updated credentials, whether refresh occurred, and any error.
func (CredentialsItem) GetSecret ¶ added in v0.9.0
func (i CredentialsItem) GetSecret() string
GetSecret returns the secret value for authentication. For OAuth credentials, returns the access token. For basic credentials, returns the password.
func (CredentialsItem) IsExpired ¶ added in v0.9.0
func (i CredentialsItem) IsExpired() bool
IsExpired returns true if OAuth token is expired (with 5 minute buffer). Always returns false for basic credentials.
func (CredentialsItem) IsOAuth ¶ added in v0.9.0
func (i CredentialsItem) IsOAuth() bool
IsOAuth returns true if this is an OAuth credential.
type DataStore ¶ added in v0.2.0
type DataStore interface {
// Load loads the keyring data from storage.
// This triggers decryption and passphrase prompt if the keyring is encrypted.
// It is idempotent - subsequent calls return immediately if already loaded.
Load() error
// GetUrls retrieves a list of stored URLs.
GetUrls() ([]string, error)
// GetKeys retrieves a list of stored keys.
GetKeys() ([]string, error)
// GetForURL returns a credentials item by a URL.
// Error is returned if either the keyring could not be unlocked
// Error ErrNotFound if the credentials were not found.
GetForURL(url string) (CredentialsItem, error)
// GetForKey returns a key-value item by a key.
// Error is returned if either the keyring could not be unlocked
// Error ErrNotFound if the key was not found.
GetForKey(key string) (KeyValueItem, error)
// AddItem adds a new credential item.
// Error is returned if the vault couldn't be unlocked.
// Error ErrEmptyFields is returned if item is empty.
AddItem(SecretItem) error
// RemoveByURL deletes an item by url.
// Error is returned if the vault couldn't be unlocked.
// Error ErrNotFound if the credentials were not found.
RemoveByURL(url string) error
// RemoveByKey deletes an item by key.
// Error is returned if the vault couldn't be unlocked.
// Error ErrNotFound if the credentials were not found.
RemoveByKey(key string) error
// CleanStorage cleanups storage (credentials or key-value).
// Error is returned if the vault couldn't be unlocked.
CleanStorage(item SecretItem) error
// Exists checks if keyring exists in persistent storage.
Exists() bool
// Save saves the keyring to the persistent storage.
Save() error
// Destroy removes the keyring from the persistent storage.
Destroy() error
}
DataStore provides password storage functionality.
func NewFileStore ¶ added in v0.7.0
func NewFileStore(f CredentialsFile) DataStore
NewFileStore creates a DataStore using a file.
type DeviceAuthResponse ¶ added in v0.9.0
type DeviceAuthResponse struct {
DeviceCode string `json:"device_code"`
UserCode string `json:"user_code"`
VerificationURI string `json:"verification_uri"`
VerificationURIComplete string `json:"verification_uri_complete"`
ExpiresIn int `json:"expires_in"`
Interval int `json:"interval"`
}
DeviceAuthResponse represents the device authorization response.
type GetCredentialProcessorOptions ¶ added in v0.9.0
type GetCredentialProcessorOptions = *action.GenericValueProcessorOptions[struct { URL string `yaml:"url"` }]
GetCredentialProcessorOptions is a action.ValueProcessorOptions struct for URL-based credentials.
type GetKeyValueProcessorOptions ¶ added in v0.3.1
type GetKeyValueProcessorOptions = *action.GenericValueProcessorOptions[struct { Key string `yaml:"key" validate:"not-empty"` }]
GetKeyValueProcessorOptions is a action.ValueProcessorOptions struct.
type GitCredential ¶ added in v0.9.0
type GitCredential struct {
Protocol string
Host string
Path string
Username string
Password string
}
GitCredential represents a git credential request/response.
func ParseGitCredential ¶ added in v0.9.0
func ParseGitCredential(r io.Reader) (*GitCredential, error)
ParseGitCredential parses git credential helper input from stdin.
func (*GitCredential) BaseURL ¶ added in v0.9.0
func (c *GitCredential) BaseURL() string
BaseURL returns the base URL (protocol://host) without path.
func (*GitCredential) ToURL ¶ added in v0.9.0
func (c *GitCredential) ToURL() string
ToURL constructs a URL from the credential fields.
type GitCredentialOp ¶ added in v0.9.0
type GitCredentialOp string
GitCredentialOp represents a git credential helper operation.
const ( GitCredentialGet GitCredentialOp = "get" GitCredentialStore GitCredentialOp = "store" GitCredentialErase GitCredentialOp = "erase" )
type KeyValueItem ¶ added in v0.2.0
KeyValueItem stores key-value pair.
type Keyring ¶
type Keyring = *keyringService
Keyring is a launchr.Service providing password store functionality.
func NewService ¶ added in v0.7.0
func NewService(store DataStore, mask *launchr.SensitiveMask) Keyring
NewService creates a new Keyring service.
type OAuthFlow ¶ added in v0.9.0
type OAuthFlow struct {
Config *OIDCConfig
ClientID string
Scopes []string
// contains filtered or unexported fields
}
OAuthFlow handles OAuth authentication flows.
func NewOAuthFlow ¶ added in v0.9.0
func NewOAuthFlow(config *OIDCConfig) *OAuthFlow
NewOAuthFlow creates a new OAuth flow handler.
func (*OAuthFlow) AuthCodeFlow ¶ added in v0.9.0
func (f *OAuthFlow) AuthCodeFlow(ctx context.Context, printer *launchr.Terminal) (*oauth2.Token, error)
AuthCodeFlow performs the Authorization Code flow with PKCE. This flow opens a browser and starts a local HTTP server to receive the callback.
func (*OAuthFlow) DeviceAuth ¶ added in v0.9.0
func (f *OAuthFlow) DeviceAuth(ctx context.Context) (*DeviceAuthResponse, error)
DeviceAuth initiates the device authorization flow. This is the preferred flow for CLI tools as it doesn't require a redirect URI.
type OIDCConfig ¶ added in v0.9.0
type OIDCConfig struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
DeviceEndpoint string `json:"device_authorization_endpoint"`
UserinfoEndpoint string `json:"userinfo_endpoint"`
JwksURI string `json:"jwks_uri"`
}
OIDCConfig holds the discovered OIDC configuration.
func DiscoverOIDC ¶ added in v0.9.0
func DiscoverOIDC(ctx context.Context, baseURL string) (*OIDCConfig, error)
DiscoverOIDC attempts to discover OIDC configuration from the given URL. Returns nil if no OIDC configuration is found (not an error - just means no OAuth).
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
Plugin is launchr.Plugin plugin providing a keyring.
func (*Plugin) CobraAddCommands ¶
CobraAddCommands implements launchr.CobraPlugin interface to provide keyring functionality.
func (*Plugin) DiscoverActions ¶ added in v0.3.0
DiscoverActions implements launchr.ActionDiscoveryPlugin interface.
func (*Plugin) OnAppInit ¶ added in v0.1.0
OnAppInit implements launchr.Plugin interface.
func (*Plugin) PersistentPreRun ¶ added in v0.4.0
PersistentPreRun implements launchr.PersistentPreRun interface.
func (*Plugin) PluginInfo ¶
func (p *Plugin) PluginInfo() launchr.PluginInfo
PluginInfo implements launchr.Plugin interface.
type SecretItem ¶ added in v0.2.0
type SecretItem interface {
// contains filtered or unexported methods
}
SecretItem is an interface that represents an item saved in a storage. It is used in the DataStore interface for adding and manipulating items.
Source Files
Directories