sneak/secret
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Fix GetValue methods to return LockedBuffer internally

Browse Source 
- Changed Secret.GetValue and Version.GetValue to return *memguard.LockedBuffer
- Updated all internal callers to handle LockedBuffer properly
- For backward compatibility, vault.GetSecret still returns []byte but makes a copy
- This ensures secret values are protected in memory during decryption
- Updated tests to handle LockedBuffer returns
- Fixed CLI getSecretValue to use LockedBuffer throughout
This commit is contained in:
Jeffrey Paul
2025-07-15 08:59:23 +02:00
parent 819902f385
commit 8ec3fc877d
6 changed files with 32 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/secret/secret.go
View File

@@ -63,7 +63,7 @@ func NewSecret(vault VaultInterface, name string) *Secret {
}
// GetValue retrieves and decrypts the current version's value using the provided unlocker
func (s *Secret) GetValue(unlocker Unlocker) ([]byte, error) {
func (s *Secret) GetValue(unlocker Unlocker) (*memguard.LockedBuffer, error) {
DebugWith("Getting secret value",
slog.String("secret_name", s.Name),
slog.String("vault_name", s.vault.GetName()),

11
internal/secret/version.go
View File

@@ -324,7 +324,7 @@ func (sv *Version) LoadMetadata(ltIdentity *age.X25519Identity) error {
}
// GetValue retrieves and decrypts the version value
func (sv *Version) GetValue(ltIdentity *age.X25519Identity) ([]byte, error) {
func (sv *Version) GetValue(ltIdentity *age.X25519Identity) (*memguard.LockedBuffer, error) {
DebugWith("Getting version value",
slog.String("secret_name", sv.SecretName),
slog.String("version", sv.Version),
@@ -388,12 +388,15 @@ func (sv *Version) GetValue(ltIdentity *age.X25519Identity) ([]byte, error) {
return nil, fmt.Errorf("failed to decrypt version value: %w", err)
}
// Create a secure buffer for the decrypted value
valueBuffer := memguard.NewBufferFromBytes(value)
Debug("Successfully retrieved version value",
"version", sv.Version,
"value_length", len(value),
"is_empty", len(value) == 0)
"value_length", valueBuffer.Size(),
"is_empty", valueBuffer.Size() == 0)
return value, nil
return valueBuffer, nil
}
// ListVersions lists all versions of a secret

5
internal/secret/version_test.go
View File

@@ -255,10 +255,11 @@ func TestSecretVersionGetValue(t *testing.T) {
require.NoError(t, err)
// Retrieve the value
retrievedValue, err := sv.GetValue(ltIdentity)
retrievedBuffer, err := sv.GetValue(ltIdentity)
require.NoError(t, err)
defer retrievedBuffer.Destroy()
assert.Equal(t, expectedValue, retrievedValue)
assert.Equal(t, expectedValue, retrievedBuffer.Bytes())
}
func TestListVersions(t *testing.T) {