Fix GetValue methods to return LockedBuffer internally

- Changed Secret.GetValue and Version.GetValue to return *memguard.LockedBuffer - Updated all internal callers to handle LockedBuffer properly - For backward compatibility, vault.GetSecret still returns []byte but makes a copy - This ensures secret values are protected in memory during decryption - Updated tests to handle LockedBuffer returns - Fixed CLI getSecretValue to use LockedBuffer throughout
2025-07-15 08:59:23 +02:00
parent 819902f385
commit 8ec3fc877d
6 changed files with 32 additions and 39 deletions
--- a/internal/vault/secrets.go
+++ b/internal/vault/secrets.go
@@ -393,21 +393,26 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 		return nil, fmt.Errorf("failed to decrypt version: %w", err)
 	}

+	// Create a copy to return since the buffer will be destroyed
+	result := make([]byte, decryptedValue.Size())
+	copy(result, decryptedValue.Bytes())
+	decryptedValue.Destroy()
+
 	secret.DebugWith("Successfully decrypted secret version",
 		slog.String("secret_name", name),
 		slog.String("version", version),
 		slog.String("vault_name", v.Name),
-		slog.Int("decrypted_length", len(decryptedValue)),
+		slog.Int("decrypted_length", len(result)),
 	)

 	// Debug: Log metadata about the decrypted value without exposing the actual secret
 	secret.Debug("Vault secret decryption debug info",
 		"secret_name", name,
 		"version", version,
-		"decrypted_value_length", len(decryptedValue),
-		"is_empty", len(decryptedValue) == 0)
+		"decrypted_value_length", len(result),
+		"is_empty", len(result) == 0)

-	return decryptedValue, nil
+	return result, nil
 }

 // UnlockVault unlocks the vault and returns the long-term private key