{"id":19040624,"url":"https://github.com/cloudfoundry/credhub","last_synced_at":"2025-05-16T03:04:40.109Z","repository":{"id":37078473,"uuid":"57061988","full_name":"cloudfoundry/credhub","owner":"cloudfoundry","description":"CredHub centralizes and secures credential generation, storage, lifecycle management, and access","archived":false,"fork":false,"pushed_at":"2025-05-13T23:47:38.000Z","size":13691,"stargazers_count":241,"open_issues_count":4,"forks_count":77,"subscribers_count":30,"default_branch":"main","last_synced_at":"2025-05-14T01:46:24.589Z","etag":null,"topics":["bosh","cf-extensions","cloudfoundry","credential-manager","credhub"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudfoundry.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-04-25T17:30:51.000Z","updated_at":"2025-05-13T23:46:20.000Z","dependencies_parsed_at":"2024-05-21T19:43:15.511Z","dependency_job_id":"3f28547a-cb80-4c5a-864b-e4bcf7134703","html_url":"https://github.com/cloudfoundry/credhub","commit_stats":{"total_commits":3170,"total_committers":107,"mean_commits":"29.626168224299064","dds":0.8766561514195583,"last_synced_commit":"79eeff9403b773f8e507842ee97de9f2f273773e"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry%2Fcredhub","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry%2Fcredhub/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry%2Fcredhub/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry%2Fcredhub/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudfoundry","download_url":"https://codeload.github.com/cloudfoundry/credhub/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254459088,"owners_count":22074605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bosh","cf-extensions","cloudfoundry","credential-manager","credhub"],"created_at":"2024-11-08T22:23:52.566Z","updated_at":"2025-05-16T03:04:35.102Z","avatar_url":"https://github.com/cloudfoundry.png","language":"Java","readme":"# \u003cdiv align=\"center\"\u003e\u003cimg src=\"docs/images/logo.png\" alt=\"CredHub\"\u003e\u003c/div\u003e\n\n[![slack.cloudfoundry.org](https://slack.cloudfoundry.org/badge.svg)](https://slack.cloudfoundry.org)\n\nCredHub manages credentials like passwords, certificates, certificate authorities, ssh keys, rsa keys and arbitrary values (strings and JSON blobs). CredHub provides a CLI and API to get, set, generate and securely store such credentials.\n\n* [Documentation](docs/)\n* [CredHub API Docs](https://docs.cloudfoundry.org/api/credhub/)\n* [CredHub Tracker](https://www.pivotaltracker.com/n/projects/1977341)\n\nCredHub is intended to be deployed by [BOSH](https://bosh.io) using the [credhub-release](https://github.com/pivotal/credhub-release) BOSH release. This repository is for development and is **not intended to be directly deployable**.\n\nAdditional repos:\n\n* [credhub-cli](https://github.com/cloudfoundry-incubator/credhub-cli): command line interface for credhub\n* [credhub-release](https://github.com/pivotal/credhub-release): BOSH release of CredHub server\n* [credhub-acceptance-tests](https://github.com/cloudfoundry-incubator/credhub-acceptance-tests): integration tests written in Go.\n\n# Contributing to CredHub\n\nThe Cloud Foundry team uses GitHub and accepts contributions via [pull request](https://help.github.com/articles/using-pull-requests).\n\n## Contributor License Agreement\n\nFollow these steps to make a contribution to any of our open source repositories:\n\n1. Ensure that you have completed our CLA Agreement for\n  [individuals](https://www.cloudfoundry.org/pdfs/CFF_Individual_CLA.pdf) or\n  [corporations](https://www.cloudfoundry.org/pdfs/CFF_Corporate_CLA.pdf).\n\n1. Set your name and email (these should match the information on your submitted CLA)\n\n        git config --global user.name \"Firstname Lastname\"\n        git config --global user.email \"your_email@example.com\"\n\n## Reporting a Vulnerability\n\nWe strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum.\n\nPlease note that the e-mail address below should only be used for reporting undisclosed security vulnerabilities in open source Cloud Foundry codebases and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security-related queries at this address.\n\nThe e-mail address to use to contact the CFF Security Team is security@cloudfoundry.org.\n\nOur public PGP key can be obtained from a public key server such as [pgp.mit.edu](https://pgp.mit.edu). Its fingerprint is: 3FC8 9AF3 940B E270 CF25  E122 9965 0006 EF9D C642. More information can be found at [cloudfoundry.org/security](https://cloudfoundry.org/security).\n\n## General Workflow\n\n1. Fork the repository\n1. Create a feature branch (`git checkout -b \u003cmy_new_branch\u003e`)\n1. Make changes on your branch\n1. Test your changes locally (see next section) and in a [bosh-lite](https://github.com/cloudfoundry/bosh-lite) or other test environment.\n1. Push to your fork (`git push origin \u003cmy_new_branch\u003e`) and submit a pull request\n\nWe favor pull requests with very small, single commits with a single purpose. Your pull request is much more likely to be accepted if it is small and focused with a clear message that conveys the intent of your change.\n\n### Generating API Documentation\n\nThe CredHub API can generate API documentation by running its test suite (via Spring Rest Docs). CredHub API Documentation can be generated as follows:\n\n```\n./scripts/generate_documentation_snippets.sh\n```\n\nCredHub API documentation will be built as an html file in the CredHub backend gradle subproject build directory: `backends/credhub/build/docs/asciidoc/index.html`.\n\n### Development Configuration\n\nLaunching in production directly using the `bootRun` target is **unsafe**, as you will launch with a `dev` profile, which has checked-in secret keys in `application-dev.yml`.\n\n#### Dependency Graph\n\nA dependency graph of project components (gradle subprojects) can be generated to better understand project organization. You will need graphviz installed on your system in order to generate the graph.\n\n```\n./gradlew dependenciesGraph\n```\n\n#### Generally\n\nConfiguration for the server is spread across the `application*.yml` files.\n\n* Configuration shared by all environments (dev, test, or BOSH-deployed) is in `application.yml`.\n* Development-specific configuration is in `application-dev.yml`. This includes:\n  * A UAA URL intended for development use only,\n  * A JWT public verification key for use with that UAA, and\n  * two `dev-key`s intended for development use only.\n* Per-database configuration is placed in `application-dev-h2.yml`,`application-dev-mysql.yml`, and `application-dev-postgres.yml`. For convenience, these per-database profiles include the `dev` profile.\n\nBy default, CredHub launches with the `dev-h2` and `dev` profiles enabled.\n\n#### UAA and the JWT public signing key\n\nCredHub requires a [UAA server](https://github.com/cloudfoundry/uaa) to manage authentication.\n\nIn `application-dev.yml` there are two relevant settings:\n\n1. `auth-server.url`. This needs to point to a running UAA server (remote or BOSH-lite, it's up to you).\n2. `security.oauth2.resource.jwt.key-value`. This is the public verification key, corresponding to a private JWT signing key held by your UAA server.\n\nFor convenience, the CredHub team runs a public UAA whose IP is in the default `application-dev.yml` manifest. The password grant values are `credhub`/`password` and the client credentials grant value are `credhub_client`/`secret`. This public UAA is for local development usage only! You will need to skip SSL validation in order to use it.\n\n#### Running CredHub with local UAA\n\nIn order to run CredHub against a UAA running on your local machine, do the following:\n1. Start a UAA with Docker:\n   `docker run -d --mount type=bind,source=$PWD/config/uaa.yml,target=/uaa/uaa.yml -p 127.0.0.1:8080:8080 pcfseceng/uaa:latest`.\n   (May need to add the config/uaa.yml path to the Docker virtual file shares in Settings-Resources-FileSharing.)\n   Alternatively, you can use local UAA dev build instead by adding items from `credhub/config/uaa.yml` to `uaa/uaa/src/main/resources/uaa.yml` before starting the UAA server.\n2. Start CredHub server pointing at the local UAA: `./scripts/start_server.sh -Dspring.profiles.active=dev,dev-h2,dev-local-uaa`\n\nFor testing purposes, the local UAA bootstraps a user (username: `credhub`/ password: `password`) and a client (client ID:`credhub_client` / client secret:`secret`), with which you can access the local CredHub. For example:\n```\n# log into CredHub CLI using a UAA client; this client comes with permissions to access all CredHub credential paths (see `application-dev.yml` manifest)\ncredhub login -s https://localhost:9000 --client-name=credhub_client --client-secret=secret --skip-tls-validation\n# log into CredHub CLI using a UAA user; this user does not come with permissions to CredHub credential paths (see `application-dev.yml` manifest)\ncredhub login -s https://localhost:9000 -u credhub -p password --skip-tls-validation\n```\n\n#### Starting the server with different databases\n\n##### H2 (the default)\n\nH2 datasource configuration is in `application-dev-h2.yml`.\n\n```sh\n./scripts/start_server.sh\n```\n\n##### PostgreSQL\n\nPostgres datasource configuration is in `application-dev-postgres.yml`.\n\nBefore development, you'll need to create the target database.\n\nA local Postgres server with docker can be started as follows:\n```\ndocker run --name postgres-server \\\n   --env POSTGRES_USER=pivotal \\\n   --env POSTGRES_HOST_AUTH_METHOD=trust \\\n   --detach \\\n   --publish 5432:5432 \\\n   postgres:15\n```\n\n```sh\ncreatedb credhub_dev\n```\n\nThen to run in development mode with Postgres\n\n```sh\n./scripts/start_server.sh -Dspring.profiles.active=dev,dev-postgres\n```\n\n##### MySQL\n\nMySQL datasource configuration is in `application-dev-mysql.yml`.\n\nLog into your MySQL server and create databases `credhub_dev` and `credhub_test` with privileges granted to `root`.\n\n```shell\nmysql -u root\ncreate database credhub_test;\ncreate database credhub_dev;\n```\n\nIf you're on a Mac using Homebrew and you run into a problem where you install MySQL and it isn't running (i.e., `mysql -u root` errors with a socket error), you may need to uninstall mysql, delete the `/usr/local/var/mysql` directory (*Warning: this will delete all local MySQL data!*), and then reinstall MySQL.\n\nAlternatively, you can also start a local MySQL server with docker:\n```\ndocker run \\\n  --name mysql-server \\\n  --env MYSQL_ALLOW_EMPTY_PASSWORD='yes' \\\n  --env MYSQL_ROOT_HOST='%' \\\n  --publish 3306:3306 \\\n  --detach \\\n  \"mysql:8.0\"\n```    \n\nThen to run in development mode with MySQL:\n\n```sh\n./scripts/start_server.sh -Dspring.profiles.active=dev,dev-mysql\n```\n\n#### Debugging the server\n\nTo load JDWP agent for credhub jvm debugging, start the server as follows:\n```sh\n./scripts/start_server.sh -Pdebug=true\n```\n\nYou can then attach your debugger to port 5005 of the jvm process.\n\nTo suspend the server start-up until the debugger is attached (useful for\ndebugging start-up code), start the server as follows:\n```sh\n./scripts/start_server.sh -Pdebugs=true\n```\n\n#### Running tests with different databases\n\nTesting with different databases requires you to set a system property with the profile corresponding to your desired database. For example, to test with H2, you'll need to run the tests with the `-Dspring.profiles.active=unit-test-h2` profile.\n\nDuring development, it is helpful to set up different IntelliJ testing profiles that use the following VM Options:\n\n- `-ea -Dspring.profiles.active=unit-test-h2` for testing with H2\n- `-ea -Dspring.profiles.active=unit-test-mysql` for testing with MySQL\n- `-ea -Dspring.profiles.active=unit-test-postgres` for testing with Postgres\n\n### Testing with the CLI and Acceptance Tests\n\n#### Using the CLI locally\n\nAfter having pulled the [credhub-cli](https://github.com/cloudfoundry-incubator/credhub-cli) repo, run `make`, and then run the following command to target your locally running CredHub instance:\n\n```shell\nbuild/credhub login -s https://localhost:9000 --client-name=credhub_client --client-secret=secret --skip-tls-validation\n```\n\n#### Running the Acceptance Tests\n\nFirst, be sure to pull and compile the [credhub-cli](https://github.com/cloudfoundry-incubator/credhub-cli), as described above.\n\nMake sure your development server is running. When it starts up for the first time, it will create a server CA and server certificate for SSL, as well as a trusted client CA for testing mutual TLS authentication. These will be located in `src/test/resources` relative to the `credhub` repository.\n\nPull [credhub-acceptance-tests](https://github.com/cloudfoundry-incubator/credhub-acceptance-tests) and run:\n\n```shell\nCREDENTIAL_ROOT=/path/to/credhub/repo/plus/src/test/resources ./scripts/run_tests.sh\n```\n\nAssuming it works, that will generate some test client certificates for testing mutual TLS (in `certs/` in the acceptance test directory) and run the acceptance test suite against your locally running credhub server.\n\n### Cleaning up orphaned encrypted_value records\nTo clean up orphaned `encrypted_value` records from CredHub version 2.12.70 and\nearlier (https://github.com/cloudfoundry/credhub/issues/231), follow the steps decribed in\n[Cleaning up orphaned encrypted_value records](docs/orphaned-encryption-value-cleanup.md).\n","funding_links":[],"categories":["安全"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudfoundry%2Fcredhub","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudfoundry%2Fcredhub","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudfoundry%2Fcredhub/lists"}