feat: infisical proxy

go.mod

@@ -58,6 +58,8 @@ require (
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
 	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
+	github.com/awnumar/memcall v0.4.0 // indirect
+	github.com/awnumar/memguard v0.23.0 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.27.2 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.27.18 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect

go.sum

@@ -74,6 +74,10 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGLmAjMPwCCCo7Jf0W6f9slllCkkv7vyc1yOSg=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/awnumar/memcall v0.4.0 h1:B7hgZYdfH6Ot1Goaz8jGne/7i8xD4taZie/PNSFZ29g=
+github.com/awnumar/memcall v0.4.0/go.mod h1:8xOx1YbfyuCg3Fy6TO8DK0kZUua3V42/goA5Ru47E8w=
+github.com/awnumar/memguard v0.23.0 h1:sJ3a1/SWlcuKIQ7MV+R9p0Pvo9CWsMbGZvcZQtmc68A=
+github.com/awnumar/memguard v0.23.0/go.mod h1:olVofBrsPdITtJ2HgxQKrEYEMyIBAIciVG4wNnZhW9M=
 github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8=
 github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
 github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk=

packages/cmd/agent.go

@@ -28,6 +28,7 @@ import (
 	"text/template"
 	"time"
 
+	"github.com/awnumar/memguard"
 	"github.com/dgraph-io/badger/v3"
 	"github.com/go-resty/resty/v2"
 	infisicalSdk "github.com/infisical/go-sdk"
@@ -90,13 +91,13 @@ type RetryConfig struct {
 }
 
 type Config struct {
-	Version       string                   `yaml:"version,omitempty"`
-	Infisical     InfisicalConfig          `yaml:"infisical"`
-	Auth          AuthConfig               `yaml:"auth"`
-	Sinks         []Sink                   `yaml:"sinks"`
-	Cache         CacheConfig              `yaml:"cache,omitempty"`
-	Templates     []Template               `yaml:"templates"`
-	Certificates  []AgentCertificateConfig `yaml:"certificates,omitempty"`
+	Version      string                   `yaml:"version,omitempty"`
+	Infisical    InfisicalConfig          `yaml:"infisical"`
+	Auth         AuthConfig               `yaml:"auth"`
+	Sinks        []Sink                   `yaml:"sinks"`
+	Cache        CacheConfig              `yaml:"cache,omitempty"`
+	Templates    []Template               `yaml:"templates"`
+	Certificates []AgentCertificateConfig `yaml:"certificates,omitempty"`
 }
 
 type TemplateWithID struct {
@@ -195,10 +196,10 @@ type Template struct {
 }
 
 type CertificateLifecycleConfig struct {
-	RenewBeforeExpiry string `yaml:"renew-before-expiry"`
-	StatusCheckInterval string `yaml:"status-check-interval"`
+	RenewBeforeExpiry    string `yaml:"renew-before-expiry"`
+	StatusCheckInterval  string `yaml:"status-check-interval"`
 	FailureRetryInterval string `yaml:"failure-retry-interval,omitempty"`
-	MaxFailureRetries int `yaml:"max-failure-retries,omitempty"`
+	MaxFailureRetries    int    `yaml:"max-failure-retries,omitempty"`
 }
 
 type CertificateAttributes struct {
@@ -343,7 +344,10 @@ func NewCacheManager(ctx context.Context, cacheConfig *CacheConfig) (*CacheManag
 		return &CacheManager{}, fmt.Errorf("unable to read service account token: %v. Please ensure the file exists and is not empty", err)
 	}
 
-	encryptionKey := sha256.Sum256(serviceAccountToken)
+	hash := sha256.Sum256(serviceAccountToken)
+	encryptionKey := memguard.NewBufferFromBytes(hash[:]) // the hash (source) is wiped after copied to the secure buffer
+
+	defer encryptionKey.Destroy()
 
 	cacheStorage, err := cache.NewEncryptedStorage(cache.EncryptedStorageOptions{
 		DBPath:        cacheConfig.Persistent.Path,
@@ -2000,7 +2004,6 @@ func validateCertificateLifecycleConfig(certificates *[]AgentCertificateConfig)
 	return nil
 }
 
-
 func resolveCertificateNameReferences(certificates *[]AgentCertificateConfig, httpClient *resty.Client) error {
 	for i := range *certificates {
 		cert := &(*certificates)[i]
@@ -2086,7 +2089,6 @@ func buildCertificateAttributes(certificate *AgentCertificateConfig) *api.Certif
 		removeRoots = false
 	}
 
-
 	attributes.RemoveRootsFromChain = removeRoots
 	hasAny = true
 
@@ -3207,7 +3209,6 @@ var agentCmd = &cobra.Command{
 						log.Warn().Msg("credential revocation timed out after 5 minutes, forcing exit")
 						exitCode = 1
 					}
-
 				}
 
 				os.Exit(exitCode)