remove RSAHandler from the module

It was a nice exercise to build it out, but ultimately I'm realizing that it's a bit premature and presumptuous to be adding in a very specific secret handler. I'm not even using it yet in my own projects! I'm also finding that the way a project or organization chooses to handle it's secrets is typically pretty bespoke, from determining how secrets are loaded, where/how encryption/decryption is handled, their encryption scheme, how they're stored and even rotated. There's a lot to consider. Either way, I think it's best to remove this footgun from the module altogether and rethink how, or even if, a secret handler should be implemented in a way that is considered a "sensible default".
kevinfalting · Dec 14, 2023 · 99950de · 99950de
1 parent dd4dccb
commit 99950de
Show file tree

Hide file tree

Showing 5 changed files with 1 addition and 324 deletions.
diff --git a/README.md b/README.md
@@ -34,12 +34,6 @@ The precedence of the default configuration is applied in the following order:
 1. Environment Variable
 1. Command Line Flag
 
-### Secrets
-
-The builtin secret handler expects base64 encoded RSA strings, prefixed with `secret://`, to look like `secret://<some_base64_encoded_rsa_encrypted_ciphertext>`.
-
-The advantage of this is that handlers can read in encrypted or decrypted values, and once they get to the secret handler, it will either skip it or decrypt a value prefixed with `secret://`, since you may want to provide a decrypted value as an environment variable or flag. You can also provide an encrypted value with that prefix as an environment variable or flag, and it will be decrypted using the provided key.
-
 ## Supporting Unsupported Types
 
 The parser will prioritize value fields that satisfy the `encoding.TextUnmarshaler` or `encoding.BinaryUnmarshaler`, in that order. If you need to support an unsupported type like a map or slice, then create a user defined type that satisfies either interface.

diff --git a/conf.go b/conf.go
@@ -37,13 +37,6 @@ func New[T any](opts ...confOptionFunc) (*Conf[T], error) {
 		},
 	}
 
-	if confOpt.rsaPrivateKey != nil {
-		conf.Handlers = append(conf.Handlers, &confhandler.RSAHandler{
-			PrivateKey: confOpt.rsaPrivateKey,
-			Label:      confOpt.rsaLabel,
-		})
-	}
-
 	return &conf, nil
 }
 

diff --git a/confhandler/rsa.go b/confhandler/rsa.go
diff --git a/confhandler/rsa_test.go b/confhandler/rsa_test.go
diff --git a/confoption.go b/confoption.go
@@ -1,14 +1,11 @@
 package structconf
 
 import (
-	"crypto/rsa"
 	"flag"
 )
 
 type confOption struct {
-	flagSet       *flag.FlagSet
-	rsaPrivateKey *rsa.PrivateKey
-	rsaLabel      []byte
+	flagSet *flag.FlagSet
 }
 
 type confOptionFunc func(opt *confOption)
@@ -20,18 +17,3 @@ func WithFlagSet(fset *flag.FlagSet) confOptionFunc {
 		opt.flagSet = fset
 	}
 }
-
-// WithRSAPrivateKey is a functional option for passing an [rsa.PrivateKey] to
-// the default Conf's RSAHandler.
-func WithRSAPrivateKey(priv *rsa.PrivateKey) confOptionFunc {
-	return func(opt *confOption) {
-		opt.rsaPrivateKey = priv
-	}
-}
-
-// WithRSALabel sets the label to use with the RSA Private Key.
-func WithRSALabel(label []byte) confOptionFunc {
-	return func(opt *confOption) {
-		opt.rsaLabel = label
-	}
-}