studio/cli
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 4 Wiki Activity

feat(secrets): add xchacha20-poly1305 cipher key seeding for Kratos

Browse Source 
Add rand_alphanum() using OsRng for generating fixed-length
alphanumeric secrets. Seed secrets-cipher (32 chars) into the
kratos KV path for at-rest encryption of OIDC tokens.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-24 20:51:13 +00:00
parent 80ab6d6113
commit 3d2d16d53e
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
sunbeam-sdk/src/secrets/mod.rs
View File

@@ -102,6 +102,15 @@ fn rand_token_n(n: usize) -> String {
base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(buf)
}
/// Generate an alphanumeric random string of exactly `n` characters.
/// Used for secrets that require a fixed character length (e.g. xchacha20-poly1305 cipher keys).
pub(crate) fn rand_alphanum(n: usize) -> String {
use rand::rngs::OsRng;
use rand::Rng;
const CHARSET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
(0..n).map(|_| CHARSET[OsRng.gen_range(0..CHARSET.len())] as char).collect()
}
// ── Port-forward helper ─────────────────────────────────────────────────────
/// Port-forward guard — cancels the background forwarder on drop.

6
sunbeam-sdk/src/secrets/seeding.rs
View File

@@ -11,8 +11,8 @@ use crate::openbao::BaoClient;
use crate::output::{ok, warn};
use super::{
gen_dkim_key_pair, gen_fernet_key, port_forward, rand_token, rand_token_n, scw_config,
wait_pod_running, delete_resource, GITEA_ADMIN_USER, SMTP_URI,
gen_dkim_key_pair, gen_fernet_key, port_forward, rand_alphanum, rand_token, rand_token_n,
scw_config, wait_pod_running, delete_resource, GITEA_ADMIN_USER, SMTP_URI,
};
/// Internal result from seed_openbao, used by cmd_seed.
@@ -238,12 +238,14 @@ pub async fn seed_openbao() -> Result<Option<SeedResult>> {
.await?;
let smtp_uri_fn = || SMTP_URI.to_string();
let cipher_fn = || rand_alphanum(32);
let kratos = get_or_create(
&bao,
"kratos",
&[
("secrets-default", &rand_token as &dyn Fn() -> String),
("secrets-cookie", &rand_token),
("secrets-cipher", &cipher_fn),
("smtp-connection-uri", &smtp_uri_fn),
],
&mut dirty_paths,