-
Notifications
You must be signed in to change notification settings - Fork 1
feat: add generic Unix-socket secrets provider #165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
larimonious
wants to merge
7
commits into
main
Choose a base branch
from
feat/secrets-unix-socket-provider
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
8f4cb02
feat: add generic Unix-socket secrets provider
larimonious 2152998
fix: align generic agent protocol
larimonious e062fb4
fix: reject unterminated maximum frames
larimonious 399fe8c
test: consume request EOF in socket fixtures
larimonious de69a73
test: separate response decoding from socket transport
larimonious 705c4e6
test: avoid platform-dependent partial frame delivery
larimonious 112e384
fix: complete socket responses at newline
larimonious File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| # Local secrets-agent protocol v1 | ||
|
|
||
| ntnt's `unix-socket` secrets provider can use any local agent that implements this protocol. The protocol is backend-neutral: an agent may obtain values from a managed secrets service, an operating-system key store, an HSM-backed service, or another deployment-owned source. | ||
|
|
||
| This is an integration contract for `std/secrets`; it is not a general socket API for ntnt programs. | ||
|
|
||
| ## Transport | ||
|
|
||
| - Unix domain stream socket. | ||
| - One request and one response per connection. | ||
| - Each message is one UTF-8 JSON object followed by `\n`. | ||
| - The client half-closes its write side after the request. | ||
| - The agent should half-close its write side after the response. The newline completes the frame; the client does not wait for EOF, but rejects any trailing byte that is already available. | ||
| - Requests and responses must not use carriage returns or additional frames. | ||
| - Filesystem ownership and permissions authenticate the local endpoint. The protocol `scope` field detects routing mistakes but is not authentication. | ||
|
|
||
| ## Request | ||
|
|
||
| ```json | ||
| {"protocol":1,"request_id":1,"op":"get","name":"API_KEY","scope":"deployment-a"} | ||
| ``` | ||
|
|
||
| Fields are exact; unknown, duplicate, or missing fields are rejected. | ||
|
|
||
| | Field | Meaning | | ||
| |---|---| | ||
| | `protocol` | Integer protocol version; currently `1`. | | ||
| | `request_id` | Positive client-generated integer echoed by the response. It is correlation data, not a credential. | | ||
| | `op` | Operation; v1 supports only `get`. | | ||
| | `name` | Declared logical secret name. | | ||
| | `scope` | Deployment-owned authorization/routing scope configured outside application source. | | ||
|
|
||
| ## Responses | ||
|
|
||
| Found: | ||
|
|
||
| ```json | ||
| {"protocol":1,"request_id":1,"status":"found","scope":"deployment-a","value":"<opaque>"} | ||
| ``` | ||
|
|
||
| Non-value result: | ||
|
|
||
| ```json | ||
| {"protocol":1,"request_id":1,"status":"missing","scope":"deployment-a"} | ||
| ``` | ||
|
|
||
| Supported statuses: | ||
|
|
||
| | Status | Meaning | Client retry/failover | | ||
| |---|---|---| | ||
| | `found` | A non-empty opaque value is present. | No | | ||
| | `missing` | The declared name has no value. | No | | ||
| | `access_denied` | The caller or deployment scope is not authorized. | No | | ||
| | `unavailable` | A bounded transient agent/backend outage. | Yes | | ||
| | `invalid_request` | The request is semantically invalid. | No | | ||
| | `invalid_configuration` | The agent cannot safely serve the configured deployment. | No | | ||
|
|
||
| Agents must not return backend error text, stack traces, paths, credentials, or secret fragments. ntnt validates the protocol version, request ID, exact scope, status shape, frame size, value size, and connection completion before exposing a value to `std/secrets`. | ||
|
|
||
| ## Deployment configuration | ||
|
|
||
| ```text | ||
| NTNT_SECRETS_PROVIDER=unix-socket | ||
| NTNT_SECRETS_SOCKET_ENDPOINTS=/run/ntnt-secrets/primary.sock,/run/ntnt-secrets/secondary.sock | ||
| NTNT_SECRETS_AUTHORIZATION_SCOPE=deployment-a | ||
| NTNT_SECRETS_TIMEOUT_MS=1000 | ||
| ``` | ||
|
|
||
| Production endpoints must be below `/run/ntnt-secrets`. The deployment owner creates and protects that directory and its sockets; application code and `ntnt.toml` do not select endpoint paths or authorization scope. | ||
|
|
||
| The provider permits one through eight unique ordered endpoints, performs two bounded attempts per endpoint, and fails over only after `unavailable`. All endpoints in one configured group must represent the same authorization scope. | ||
|
|
||
| ## Limits | ||
|
|
||
| | Limit | v1 value | | ||
| |---|---:| | ||
| | Response frame | 65,536 bytes | | ||
| | Decoded secret value | 32,768 bytes | | ||
| | Endpoints | 1–8 | | ||
| | Attempts per endpoint | 2 | | ||
| | Attempt timeout | 10–10,000 ms | | ||
|
|
||
| One monotonic deadline covers connect, request write, response read, and frame completion for each attempt. Partial responses cannot extend the deadline by making slow progress. | ||
|
|
||
| ## Out of scope | ||
|
|
||
| - A plaintext secret cache inside ntnt. | ||
| - Remote TCP, HTTP, or WebSocket agents. | ||
| - Backend-specific behavior or dependencies. | ||
| - A general-purpose Unix-socket or WebSocket API for ntnt application code. | ||
|
|
||
| Those are separate security and language-design decisions rather than accidental side effects of the secrets-provider contract. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.