Make secrets and key management public (google#645)

* Move secrets out of internal/

* Add note about public

* Move signing public, rename to keys

* Finish rename

* Rename main file

* Cleanup package comments

internal/admin/config.go

@@ -23,10 +23,10 @@ import (
  "net/http"
 
  "github.com/google/exposure-notifications-server/internal/database"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/setup"
- "github.com/google/exposure-notifications-server/internal/signing"
  "github.com/google/exposure-notifications-server/internal/storage"
+ "github.com/google/exposure-notifications-server/pkg/keys"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 var _ setup.BlobstoreConfigProvider = (*Config)(nil)
@@ -36,7 +36,7 @@ var _ setup.SecretManagerConfigProvider = (*Config)(nil)
 
 type Config struct {
  Database database.Config
- KeyManager signing.Config
+ KeyManager keys.Config
  SecretManager secrets.Config
  Storage storage.Config
 
@@ -50,7 +50,7 @@ func (c *Config) DatabaseConfig() *database.Config {
  return &c.Database
 }
 
-func (c *Config) KeyManagerConfig() *signing.Config {
+func (c *Config) KeyManagerConfig() *keys.Config {
  return &c.KeyManager
 }
 

internal/authorizedapp/database/authorized_app.go

@@ -23,7 +23,7 @@ import (
 
  "github.com/google/exposure-notifications-server/internal/authorizedapp/model"
  "github.com/google/exposure-notifications-server/internal/database"
- "github.com/google/exposure-notifications-server/internal/secrets"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
  pgx "github.com/jackc/pgx/v4"
 )
 

internal/authorizedapp/database_provider.go

@@ -27,7 +27,7 @@ import (
  "github.com/google/exposure-notifications-server/pkg/cache"
 
  "github.com/google/exposure-notifications-server/internal/logging"
- "github.com/google/exposure-notifications-server/internal/secrets"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 // Compile-time check to assert implementation.

internal/cleanup/config.go

@@ -19,9 +19,9 @@ import (
 
  "github.com/google/exposure-notifications-server/internal/database"
  "github.com/google/exposure-notifications-server/internal/observability"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/setup"
  "github.com/google/exposure-notifications-server/internal/storage"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 // Compile-time check to assert this config matches requirements.

internal/debugger/config.go

@@ -17,10 +17,10 @@ package debugger
 import (
  "github.com/google/exposure-notifications-server/internal/authorizedapp"
  "github.com/google/exposure-notifications-server/internal/database"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/setup"
- "github.com/google/exposure-notifications-server/internal/signing"
  "github.com/google/exposure-notifications-server/internal/storage"
+ "github.com/google/exposure-notifications-server/pkg/keys"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 // Compile-time check to assert this config matches requirements.
@@ -34,7 +34,7 @@ var _ setup.SecretManagerConfigProvider = (*Config)(nil)
 type Config struct {
  AuthorizedApp authorizedapp.Config
  Database database.Config
- KeyManager signing.Config
+ KeyManager keys.Config
  SecretManager secrets.Config
  Storage storage.Config
 
@@ -53,7 +53,7 @@ func (c *Config) DatabaseConfig() *database.Config {
  return &c.Database
 }
 
-func (c *Config) KeyManagerConfig() *signing.Config {
+func (c *Config) KeyManagerConfig() *keys.Config {
  return &c.KeyManager
 }
 

internal/export/config.go

@@ -20,10 +20,10 @@ import (
 
  "github.com/google/exposure-notifications-server/internal/database"
  "github.com/google/exposure-notifications-server/internal/observability"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/setup"
- "github.com/google/exposure-notifications-server/internal/signing"
  "github.com/google/exposure-notifications-server/internal/storage"
+ "github.com/google/exposure-notifications-server/pkg/keys"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 // Compile-time check to assert this config matches requirements.
@@ -37,7 +37,7 @@ var _ setup.ObservabilityExporterConfigProvider = (*Config)(nil)
 // the export components.
 type Config struct {
  Database database.Config
- KeyManager signing.Config
+ KeyManager keys.Config
  SecretManager secrets.Config
  Storage storage.Config
  ObservabilityExporter observability.Config
@@ -61,7 +61,7 @@ func (c *Config) DatabaseConfig() *database.Config {
  return &c.Database
 }
 
-func (c *Config) KeyManagerConfig() *signing.Config {
+func (c *Config) KeyManagerConfig() *keys.Config {
  return &c.KeyManager
 }
 

internal/export/server_test.go

@@ -21,14 +21,14 @@ import (
 
  "github.com/google/exposure-notifications-server/internal/database"
  "github.com/google/exposure-notifications-server/internal/serverenv"
- "github.com/google/exposure-notifications-server/internal/signing"
  "github.com/google/exposure-notifications-server/internal/storage"
+ "github.com/google/exposure-notifications-server/pkg/keys"
 )
 
 // TestNewServer tests NewServer().
 func TestNewServer(t *testing.T) {
  emptyStorage := &storage.GoogleCloudStorage{}
- emptyKMS := &signing.GoogleCloudKMS{}
+ emptyKMS := &keys.GoogleCloudKMS{}
  emptyDB := &database.DB{}
  ctx := context.Background()
 

internal/federationin/config.go

@@ -20,8 +20,8 @@ import (
 
  "github.com/google/exposure-notifications-server/internal/database"
  "github.com/google/exposure-notifications-server/internal/observability"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/setup"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 const (

internal/federationout/config.go

@@ -19,8 +19,8 @@ import (
 
  "github.com/google/exposure-notifications-server/internal/database"
  "github.com/google/exposure-notifications-server/internal/observability"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/setup"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 // Compile-time check to assert this config matches requirements.

internal/generate/config.go

@@ -20,8 +20,8 @@ import (
 
  "github.com/google/exposure-notifications-server/internal/database"
  "github.com/google/exposure-notifications-server/internal/observability"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/setup"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 // Compile-time check to assert this config matches requirements.

internal/integration/integration_test.go

@@ -26,11 +26,11 @@ import (
  "github.com/google/exposure-notifications-server/internal/export"
  "github.com/google/exposure-notifications-server/internal/federationin"
  "github.com/google/exposure-notifications-server/internal/publish"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/server"
  "github.com/google/exposure-notifications-server/internal/serverenv"
- "github.com/google/exposure-notifications-server/internal/signing"
  "github.com/google/exposure-notifications-server/internal/storage"
+ "github.com/google/exposure-notifications-server/pkg/keys"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 func testServer(tb testing.TB) (*serverenv.ServerEnv, *http.Client) {
@@ -50,7 +50,7 @@ func testServer(tb testing.TB) (*serverenv.ServerEnv, *http.Client) {
 
  db := database.NewTestDatabase(tb)
 
- km, err := signing.NewNoop(ctx)
+ km, err := keys.NewNoop(ctx)
  if err != nil {
  tb.Fatal(err)
  }

internal/publish/config.go

@@ -21,9 +21,9 @@ import (
  "github.com/google/exposure-notifications-server/internal/authorizedapp"
  "github.com/google/exposure-notifications-server/internal/database"
  "github.com/google/exposure-notifications-server/internal/observability"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/setup"
  "github.com/google/exposure-notifications-server/internal/verification"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 // Compile-time check to assert this config matches requirements.

internal/serverenv/env.go

@@ -24,9 +24,9 @@ import (
  "github.com/google/exposure-notifications-server/internal/database"
  "github.com/google/exposure-notifications-server/internal/metrics"
  "github.com/google/exposure-notifications-server/internal/observability"
- "github.com/google/exposure-notifications-server/internal/secrets"
- "github.com/google/exposure-notifications-server/internal/signing"
  "github.com/google/exposure-notifications-server/internal/storage"
+ "github.com/google/exposure-notifications-server/pkg/keys"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
 )
 
 // ExporterFunc defines a factory function for creating a context aware metrics exporter.
@@ -38,7 +38,7 @@ type ServerEnv struct {
  blobstore storage.Blobstore
  database *database.DB
  exporter metrics.ExporterFromContext
- keyManager signing.KeyManager
+ keyManager keys.KeyManager
  secretManager secrets.SecretManager
  observabilityExporter observability.Exporter
 }
@@ -95,7 +95,7 @@ func WithSecretManager(sm secrets.SecretManager) Option {
 }
 
 // WithKeyManager creates an Option to install a specific KeyManager to use for signing requests.
-func WithKeyManager(km signing.KeyManager) Option {
+func WithKeyManager(km keys.KeyManager) Option {
  return func(s *ServerEnv) *ServerEnv {
  s.keyManager = km
  return s
@@ -122,7 +122,7 @@ func (s *ServerEnv) SecretManager() secrets.SecretManager {
  return s.secretManager
 }
 
-func (s *ServerEnv) KeyManager() signing.KeyManager {
+func (s *ServerEnv) KeyManager() keys.KeyManager {
  return s.keyManager
 }
 

internal/setup/setup.go

@@ -24,10 +24,10 @@ import (
  "github.com/google/exposure-notifications-server/internal/logging"
  "github.com/google/exposure-notifications-server/internal/metrics"
  "github.com/google/exposure-notifications-server/internal/observability"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/serverenv"
- "github.com/google/exposure-notifications-server/internal/signing"
  "github.com/google/exposure-notifications-server/internal/storage"
+ "github.com/google/exposure-notifications-server/pkg/keys"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
  "github.com/sethvargo/go-envconfig/pkg/envconfig"
 )
 
@@ -52,7 +52,7 @@ type DatabaseConfigProvider interface {
 // KeyManagerConfigProvider is a marker interface indicating the key manager
 // should be installed.
 type KeyManagerConfigProvider interface {
- KeyManagerConfig() *signing.Config
+ KeyManagerConfig() *keys.Config
 }
 
 // ObservabilityExporterConfigProvider signals that the config knows how to configure an
@@ -132,7 +132,7 @@ func SetupWith(ctx context.Context, config interface{}, l envconfig.Lookuper) (*
  }
 
  // Load the key manager.
- var km signing.KeyManager
+ var km keys.KeyManager
  if provider, ok := config.(KeyManagerConfigProvider); ok {
  logger.Info("configuring key manager")
 
@@ -142,7 +142,7 @@ func SetupWith(ctx context.Context, config interface{}, l envconfig.Lookuper) (*
  }
 
  var err error
- km, err = signing.KeyManagerFor(ctx, kmConfig.KeyManagerType)
+ km, err = keys.KeyManagerFor(ctx, kmConfig.KeyManagerType)
  if err != nil {
  return nil, fmt.Errorf("unable to connect to key manager: %w", err)
  }

internal/setup/setup_test.go

@@ -25,10 +25,10 @@ import (
  "github.com/google/exposure-notifications-server/internal/authorizedapp"
  "github.com/google/exposure-notifications-server/internal/database"
  "github.com/google/exposure-notifications-server/internal/observability"
- "github.com/google/exposure-notifications-server/internal/secrets"
  "github.com/google/exposure-notifications-server/internal/setup"
- "github.com/google/exposure-notifications-server/internal/signing"
  "github.com/google/exposure-notifications-server/internal/storage"
+ "github.com/google/exposure-notifications-server/pkg/keys"
+ "github.com/google/exposure-notifications-server/pkg/secrets"
  "github.com/sethvargo/go-envconfig/pkg/envconfig"
 )
 
@@ -62,9 +62,9 @@ func (t *testConfig) DatabaseConfig() *database.Config {
  return t.Database
 }
 
-func (t *testConfig) KeyManagerConfig() *signing.Config {
- return &signing.Config{
- KeyManagerType: signing.KeyManagerType("NOOP"),
+func (t *testConfig) KeyManagerConfig() *keys.Config {
+ return &keys.Config{
+ KeyManagerType: keys.KeyManagerType("NOOP"),
  }
 }
 
@@ -197,7 +197,7 @@ func TestSetupWith(t *testing.T) {
  t.Errorf("expected key manager to exist")
  }
 
- if _, ok := km.(*signing.Noop); !ok {
+ if _, ok := km.(*keys.Noop); !ok {
  t.Errorf("expected %T to be Noop", km)
  }
  })

internal/signing/aws_kms.go → pkg/keys/aws_kms.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package signing
+package keys
 
 import (
  "context"
@@ -27,7 +27,7 @@ import (
 // Compile-time check to verify implements interface.
 var _ KeyManager = (*AWSKMS)(nil)
 
-// AWSKMS implements the signing.KeyManager interface and can be used to sign
+// AWSKMS implements the keys.KeyManager interface and can be used to sign
 // export files using AWS KMS.
 type AWSKMS struct {
  svc *kms.KMS

internal/signing/azure_keyvault.go → pkg/keys/azure_keyvault.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package signing
+package keys
 
 import (
  "context"
@@ -36,7 +36,7 @@ import (
 var _ KeyManager = (*AzureKeyVault)(nil)
 var _ crypto.Signer = (*AzureKeyVaultSigner)(nil)
 
-// AzureKeyVault implements the signing.KeyManager interface and can be used to
+// AzureKeyVault implements the keys.KeyManager interface and can be used to
 // sign export files.
 type AzureKeyVault struct {
  client *keyvault.BaseClient

internal/signing/config.go → pkg/keys/config.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package signing
+package keys
 
 // KeyManagerType defines a specific key manager.
 type KeyManagerType string

internal/signing/google_cloud_kms.go → pkg/keys/google_cloud_kms.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package signing
+package keys
 
 import (
  "context"
@@ -25,7 +25,7 @@ import (
 // Compile-time check to verify implements interface.
 var _ KeyManager = (*GoogleCloudKMS)(nil)
 
-// GoogleCloudKMS implements the signing.KeyManager interface and can be used to sign
+// GoogleCloudKMS implements the keys.KeyManager interface and can be used to sign
 // export files.
 type GoogleCloudKMS struct {
  client *kms.KeyManagementClient

internal/signing/hashicorp_vault.go → pkg/keys/hashicorp_vault.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package signing
+package keys
 
 import (
  "context"
@@ -34,7 +34,7 @@ import (
 var _ KeyManager = (*HashiCorpVault)(nil)
 var _ crypto.Signer = (*HashiCorpVaultSigner)(nil)
 
-// HashiCorpVault implements the signing.KeyManager interface and can be used to
+// HashiCorpVault implements the keys.KeyManager interface and can be used to
 // sign export files.
 type HashiCorpVault struct {
  client *vaultapi.Client