1use age::Decryptor;2use anyhow::{anyhow, bail, Context, Result};3use clap::Parser;4use log::error;5use nix::sys::stat::Mode;6use nix::unistd::{chown, Group, User};7use serde::{Deserialize, Deserializer};8use std::fs::{self, File};9use std::io::{self, Cursor, Read, Write};10use std::iter;11use std::os::unix::prelude::PermissionsExt;12use std::str::from_utf8;13use std::{collections::HashMap, path::PathBuf};1415#[derive(Parser)]16#[clap(author)]17struct Opts {18 data: PathBuf,19}2021#[derive(Deserialize)]22#[serde(rename_all = "camelCase")]23struct DataItem {24 group: String,25 mode: String,26 owner: String,2728 #[serde(deserialize_with = "from_z85")]29 secret: Option<Vec<u8>>,30 public: Option<String>,3132 public_path: PathBuf,33 stable_public_path: PathBuf,3435 secret_path: PathBuf,36 stable_secret_path: PathBuf,37}3839fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>40where41 D: Deserializer<'de>,42{43 use serde::de::Error;44 if let Some(v) = <Option<String>>::deserialize(deserializer)? {45 Ok(Some(46 z85::decode(&v).map_err(|err| Error::custom(err.to_string()))?,47 ))48 } else {49 Ok(None)50 }51}5253type Data = HashMap<String, DataItem>;5455fn init_secret(identity: &age::ssh::Identity, value: DataItem) -> Result<()> {56 if let Some(public) = &value.public {57 let mut hashed = File::create(&value.public_path)?;58 let stable_dir = value.stable_public_path.parent().expect("not root");59 let mut stable_temp =60 tempfile::NamedTempFile::new_in(stable_dir).context("failed to create tempfile")?;61 hashed.write_all(public.as_bytes())?;62 stable_temp.write_all(public.as_bytes())?;63 stable_temp.flush()?;64 fs::set_permissions(stable_temp.path(), fs::Permissions::from_mode(0o444))65 .context("perm")?;66 fs::set_permissions(&value.public_path, fs::Permissions::from_mode(0o444))67 .context("perm")?;6869 stable_temp70 .persist(value.stable_public_path)71 .context("failed to persist")?;72 }73 if value.secret.is_none() {74 return Ok(());75 }76 let secret = value.secret.as_ref().unwrap();7778 let mode = Mode::from_bits(79 u32::from_str_radix(&value.mode, 8).context("failed to parse mode as octal")?,80 )81 .context("failed to parse mode")?;82 let user = User::from_name(&value.owner)83 .context("failed to get user")?84 .ok_or_else(|| anyhow!("user not found"))?;85 let group = Group::from_name(&value.group)86 .context("failed to get group")?87 .ok_or_else(|| anyhow!("group not found"))?;8889 let stable_dir = value.stable_secret_path.parent().expect("not root");90 let mut stable_temp =91 tempfile::NamedTempFile::new_in(stable_dir).context("failed to create tempfile")?;92 let mut hashed = File::create(&value.secret_path)?;9394 95 let decrypted = {96 let mut input = Cursor::new(&secret);97 let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;98 let decryptor = match decryptor {99 Decryptor::Recipients(r) => r,100 Decryptor::Passphrase(_) => bail!("should be recipients"),101 };102 let mut decryptor = decryptor103 .decrypt(iter::once(identity as &dyn age::Identity))104 .context("failed to decrypt, wrong key?")?;105106 let mut decrypted = Vec::new();107 decryptor108 .read_to_end(&mut decrypted)109 .context("failed to decrypt")?;110 decrypted111 };112113 io::copy(&mut Cursor::new(&decrypted), &mut stable_temp)114 .context("failed to write decrypted file")?;115 io::copy(&mut Cursor::new(decrypted), &mut hashed).context("failed to write decrypted file")?;116117 118 chown(stable_temp.path(), Some(user.uid), Some(group.gid))119 .context("failed to apply user/group")?;120 chown(&value.secret_path, Some(user.uid), Some(group.gid))121 .context("failed to apply user/group")?;122 fs::set_permissions(stable_temp.path(), fs::Permissions::from_mode(mode.bits())).unwrap();123 fs::set_permissions(&value.secret_path, fs::Permissions::from_mode(mode.bits())).unwrap();124 stable_temp125 .persist(value.stable_secret_path)126 .context("failed to persist")?;127128 Ok(())129}130131fn main() -> anyhow::Result<()> {132 env_logger::Builder::new()133 .filter_level(log::LevelFilter::Info)134 .init();135136 let opts = Opts::parse();137 let data = fs::read(&opts.data).context("failed to read secrets data")?;138 let data_str = from_utf8(&data).context("failed to read data to string")?;139 let data: Data = serde_json::from_str(data_str).context("failed to parse data")?;140141 if !fs::metadata("/run/secrets")142 .map(|m| m.is_dir())143 .unwrap_or(false)144 {145 fs::create_dir("/run/secrets").context("failed to create secrets directory")?;146 }147148 let identity = age::ssh::Identity::from_buffer(149 &mut Cursor::new(150 fs::read("/etc/ssh/ssh_host_ed25519_key").context("failed to read host private key")?,151 ),152 None,153 )154 .context("failed to parse identity")?;155156 let mut failed = false;157 for (name, value) in data {158 if let Err(e) = init_secret(&identity, value) {159 error!(160 "{:?}",161 e.context(format!("failed to initialize secret {}", name))162 );163 failed = true;164 }165 }166 if failed {167 bail!("one or more secrets failed");168 }169170 Ok(())171}