feat(memvault): add secure in-memory vault with docs#73
feat(memvault): add secure in-memory vault with docs#73jithinkunjachan wants to merge 1 commit intomainfrom
Conversation
push-tags-from-workflow
bot
added
dependencies
internal/securemem/handler.go
Outdated
| ) | ||
|
|
||
| type ( | ||
| SessionHandler func(context.Context, *VaultSession) error |
internal/securemem/handler.go
Outdated
|
|
||
| type ( | ||
| SessionHandler func(context.Context, *VaultSession) error | ||
| VaultSession struct { |
There was a problem hiding this comment.
Let's call this HandlerRequest because it will be the same naming logic as the other things we are gonna build
internal/securemem/handler.go
Outdated
| } | ||
| } | ||
|
|
||
| func (r *VaultSession) Put(name string, data []byte) error { |
There was a problem hiding this comment.
Why do we need the (non persistent) Put here?
internal/securemem/handler.go
Outdated
|
|
||
| type ( | ||
| SessionHandler func(context.Context, *VaultSession) error | ||
| VaultSession struct { |
internal/securemem/handler.go
Outdated
| } | ||
|
|
||
| sess := newVaultSession() | ||
| state := newVaultSession() |
There was a problem hiding this comment.
I think we don't need to allocate this here since we are only using it in line 80+.
internal/securemem/handler_test.go
Outdated
| assert.NoError(t, err) | ||
| assert.NotNil(t, state) | ||
|
|
||
| actResult, ok := state.Get(key2) |
There was a problem hiding this comment.
we need to assert.Panic that this is read-only
| "golang.org/x/sys/unix" | ||
| ) | ||
|
|
||
| func readonly(data []byte) error { |
| return unix.Mprotect(data, unix.PROT_READ) | ||
| } | ||
|
|
||
| func readwrite(data []byte) error { |
internal/securemem/vaultdata.go
Outdated
|
|
||
| import "errors" | ||
|
|
||
| type VaultData struct { |
There was a problem hiding this comment.
this needs to be concurrency safe and we should use an RWMutex. Because when we destroy we even want to block any read.
internal/securemem/vaultdata.go
Outdated
| return unalloc(m.data) | ||
| } | ||
|
|
||
| func (m *VaultData) Readonly() error { |
jithinkunjachan
force-pushed
the
feat/add-memvault
branch
from
61a9f86 to
0bc871e
Compare
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan for PR comments
Comment |
Introduce MemVaultData for secure memory regions backed by mmap'd anonymous memory, locked to RAM, and supporting read-only protection via mprotect. Includes destroy functionality for secure zeroing and unmapping. Add platform specific alloc and NoDump implementations for Darwin and Linux. Provide unit and integration tests for vault creation, destruction, and read-only behavior. Update .gitignore for macOS and test artifacts. Update dependencies.
jithinkunjachan
force-pushed
the
feat/add-memvault
branch
from
e1146b5 to
107364d
Compare
2 participants
memory, locked to RAM, and supporting read-only protection via mprotect.