git.delta.rocks / jrsonnet / refs/commits / 2a625abed5ed

difftreelog

refactor remove intermediate directory

Yaroslav Bolyukin2021-09-19parent: #f06ae76.patch.diff
in: trunk

1 file changed

modifiedcmds/install-secrets/src/main.rsdiffbeforeafterboth
before · cmds/install-secrets/src/main.rs
1use age::Decryptor;2use anyhow::{anyhow, bail, Context, Result};3use log::{error, warn};4use nix::fcntl::{renameat2, RenameFlags};5use nix::sys::stat::Mode;6use nix::unistd::{chown, Group, User};7use serde::{Deserialize, Deserializer};8use std::fs::{self, DirBuilder};9use std::io::{self, Cursor, Read};10use std::iter;11use std::os::unix::prelude::PermissionsExt;12use std::str::from_utf8;13use std::{14	collections::HashMap,15	os::unix::fs::DirBuilderExt,16	path::{Path, PathBuf},17};18use structopt::StructOpt;1920#[derive(StructOpt)]21#[structopt(author)]22struct Opts {23	data: PathBuf,24}2526#[derive(Deserialize)]27struct DataItem {28	group: String,29	mode: String,30	owner: String,31	#[serde(deserialize_with = "from_z85")]32	secret: Vec<u8>,33}3435fn from_z85<'de, D>(deserializer: D) -> Result<Vec<u8>, D::Error>36where37	D: Deserializer<'de>,38{39	use serde::de::Error;40	String::deserialize(deserializer)41		.and_then(|string| z85::decode(&string).map_err(|err| Error::custom(err.to_string())))42}4344type Data = HashMap<String, DataItem>;4546fn init_secret(47	identity: &age::ssh::Identity,48	dir: &Path,49	name: &str,50	value: DataItem,51) -> Result<()> {52	let mut path = dir.to_path_buf();53	path.push(name);54	if path.strip_prefix(&dir).is_err() {55		bail!("found escaping name");56	}5758	let secret_dir = path59		.parent()60		.expect("path is in tempdir, so it should have parent");6162	if secret_dir != dir {63		DirBuilder::new()64			.recursive(true)65			// o: xrw66			// g: xr67			// a: xr68			.mode(0o755)69			.create(70				path.parent()71					.expect("path is in tempdir, so it should have parent"),72			)73			.context("failed to create secret directory")?;74	}7576	let mode = Mode::from_bits(77		u32::from_str_radix(&value.mode, 8).context("failed to parse mode as octal")?,78	)79	.context("failed to parse mode")?;80	let user = User::from_name(&value.owner)81		.context("failed to get user")?82		.ok_or_else(|| anyhow!("user not found"))?;83	let group = Group::from_name(&value.group)84		.context("failed to get group")?85		.ok_or_else(|| anyhow!("group not found"))?;86	let mut tempfile =87		tempfile::NamedTempFile::new_in(secret_dir).context("failed to create tempfile")?;88	// File is owned by root, and only root can modify it8990	let decrypted = {91		let mut input = Cursor::new(&value.secret);92		let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;93		let decryptor = match decryptor {94			Decryptor::Recipients(r) => r,95			Decryptor::Passphrase(_) => bail!("should be recipients"),96		};97		let mut decryptor = decryptor98			.decrypt(iter::once(identity as &dyn age::Identity))99			.context("failed to decrypt, wrong key?")?;100101		let mut decrypted = Vec::new();102		decryptor103			.read_to_end(&mut decrypted)104			.context("failed to decrypt")?;105		decrypted106	};107108	io::copy(&mut Cursor::new(decrypted), &mut tempfile)109		.context("failed to write decrypted file")?;110111	// Make file owned by specified user and group, then change mode112	chown(tempfile.path(), Some(user.uid), Some(group.gid))113		.context("failed to apply user/group")?;114	fs::set_permissions(tempfile.path(), fs::Permissions::from_mode(mode.bits())).unwrap();115	tempfile.persist(path).context("failed to persist")?;116117	Ok(())118}119120fn main() -> anyhow::Result<()> {121	env_logger::Builder::new()122		.filter_level(log::LevelFilter::Info)123		.init();124125	let opts = Opts::from_args();126	let data = fs::read(&opts.data).context("failed to read secrets data")?;127	let data_str = from_utf8(&data).context("failed to read data to string")?;128	let data: Data = serde_json::from_str(data_str).context("failed to parse data")?;129130	let tempdir =131		tempfile::tempdir_in("/run/secrets.d").context("failed to create secrets tempdir")?;132133	let identity = age::ssh::Identity::from_buffer(134		&mut Cursor::new(135			fs::read("/etc/ssh/ssh_host_ed25519_key").context("failed to read host private key")?,136		),137		None,138	)139	.context("failed to parse identity")?;140141	let mut failed = false;142	for (name, value) in data {143		if let Err(e) = init_secret(&identity, tempdir.path(), &name, value) {144			error!(145				"{:?}",146				e.context(format!("failed to initialize secret {}", name))147			);148			failed = true;149		}150	}151	if failed {152		bail!("one or more secrets failed");153	}154155	if fs::metadata("/run/secrets.d/secrets.fleet")156		.map(|m| m.is_dir())157		.unwrap_or(false)158	{159		// Already linked160		renameat2(161			None,162			tempdir.path(),163			None,164			"/run/secrets.d/secrets.fleet",165			RenameFlags::RENAME_EXCHANGE,166		)167		.context("failed to exchange secret directories")?;168		if tempdir.close().is_err() {169			warn!("failed to unlink old secrets");170		}171	} else {172		// Link now173		let persisted = tempdir.into_path();174		fs::rename(&persisted, "/run/secrets.d/secrets.fleet")175			.context("failed to link secret directory")?;176	}177	Ok(())178}