git.delta.rocks / jrsonnet / refs/heads / trunk

difftreelog

source

cmds/install-secrets/src/main.rs7.0 KiBsourcehistory
1use std::{2	collections::{BTreeMap, HashMap},3	fs::{self, File},4	io::{self, Cursor, Read, Write},5	iter,6	os::unix::prelude::PermissionsExt,7	path::{Path, PathBuf},8	str::{FromStr, from_utf8},9};1011use age::{12	Decryptor, Encryptor, Identity, Recipient,13	ssh::{Identity as SshIdentity, Recipient as SshRecipient},14};15use anyhow::{Context, Result, anyhow, bail, ensure};16use clap::Parser;17use fleet_shared::SecretData;18use nix::unistd::{Group, User, chown};19use serde::Deserialize;20use tracing::{error, info, info_span};21use tracing_subscriber::{EnvFilter, filter::LevelFilter};2223#[derive(Parser)]24#[clap(author)]25enum Opts {26	/// Install secrets from json specification27	Install { data: PathBuf },28	/// Reencrypt secret using host key, outputting in fleet encoded string29	Reencrypt {30		#[clap(long)]31		secret: SecretData,32		#[clap(long)]33		targets: Vec<String>,34	},35	/// Decrypt secret using host key, outputting in fleet encoded string36	Decrypt {37		#[clap(long)]38		secret: SecretData,39		/// Shoult decoded output be printed as plaintext, instead of z85?40		#[clap(long)]41		plaintext: bool,42	},43}4445#[derive(Deserialize)]46#[serde(rename_all = "camelCase")]47struct Part {48	raw: SecretData,49	path: PathBuf,50	stable_path: PathBuf,51}5253#[derive(Deserialize)]54#[serde(rename_all = "camelCase")]55struct DataItem {56	group: String,57	mode: String,58	owner: String,59	root_path: Option<PathBuf>,6061	parts: BTreeMap<String, Part>,62}6364type Data = HashMap<String, DataItem>;6566fn decrypt(input: &SecretData, identity: &dyn Identity) -> Result<Vec<u8>> {67	ensure!(input.encrypted, "passed data is not encrypted!");68	let mut input = Cursor::new(&input.data);69	let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;70	if decryptor.is_scrypt() {71		bail!("should be recipients");72	}73	let mut decryptor = decryptor74		.decrypt(iter::once(identity as &dyn age::Identity))75		.context("failed to decrypt, wrong key?")?;7677	let mut decrypted = Vec::new();78	decryptor79		.read_to_end(&mut decrypted)80		.context("failed to decrypt")?;81	Ok(decrypted)82}83fn encrypt(input: &[u8], targets: Vec<String>) -> Result<SecretData> {84	let recipients = targets85		.into_iter()86		.map(|t| {87			SshRecipient::from_str(&t).map_err(|e| anyhow!("failed to parse recipient: {e:?}"))88		})89		.collect::<Result<Vec<SshRecipient>>>()?;90	let recipients = recipients.iter().map(|v| v as &dyn Recipient);91	let mut encrypted = vec![];92	let mut encryptor = Encryptor::with_recipients(recipients)93		.expect("recipients provided")94		.wrap_output(&mut encrypted)95		.expect("constructor should not fail");96	io::copy(&mut Cursor::new(input), &mut encryptor).expect("copy should not fail");97	encryptor.finish().context("failed to finish encryption")?;98	Ok(SecretData {99		data: encrypted,100		encrypted: true,101	})102}103104fn init_part(identity: &dyn Identity, item: &DataItem, value: &Part) -> Result<()> {105	let stable_dir = value.stable_path.parent().expect("not root");106107	// Right now stable & non-stable data are both located in this dir.108	std::fs::create_dir_all(stable_dir)?;109110	let mut stable_temp =111		tempfile::NamedTempFile::new_in(stable_dir).context("failed to create tempfile")?;112	let mut hashed = File::create(&value.path)?;113114	let private = value.raw.encrypted;115	let data = if private {116		decrypt(&value.raw, identity)?117	} else {118		value.raw.data.to_owned()119	};120121	hashed.write_all(&data)?;122	hashed.flush()?;123	stable_temp.write_all(&data)?;124	stable_temp.flush()?;125126	let mode = if private {127		fs::Permissions::from_mode(128			u32::from_str_radix(&item.mode, 8).context("failed to parse mode as octal")?,129		)130	} else {131		fs::Permissions::from_mode(0o444)132	};133	fs::set_permissions(stable_temp.path(), mode.clone()).context("stable temp mode")?;134	fs::set_permissions(&value.path, mode).context("hashed mode")?;135136	// Files are initially owned by root, thus making set mode first inaccessible to user, and then137	// altering user/group.138	if private {139		let user = User::from_name(&item.owner)140			.context("failed to get user")?141			.ok_or_else(|| anyhow!("user not found"))?;142		let group = Group::from_name(&item.group)143			.context("failed to get group")?144			.ok_or_else(|| anyhow!("group not found"))?;145146		chown(stable_temp.path(), Some(user.uid), Some(group.gid))147			.context("failed to apply user/group")?;148		chown(&value.path, Some(user.uid), Some(group.gid))149			.context("failed to apply user/group")?;150	}151152	stable_temp153		.persist(&value.stable_path)154		.context("stable persist")?;155	Ok(())156}157158fn init_secret(identity: &age::ssh::Identity, value: &DataItem) -> Result<()> {159	if let Some(root_path) = &value.root_path {160		if !fs::metadata(root_path).map(|m| m.is_dir()).unwrap_or(false) {161			fs::create_dir(root_path).context("failed to create secret directory")?;162		}163	}164	let mut errored = false;165	for (part_id, part) in value.parts.iter() {166		let _span = info_span!("part", part_id = part_id);167		if let Err(e) = init_part(identity, value, part) {168			error!("failed to init part {part_id:?}: {e}");169			errored = true;170		}171	}172173	ensure!(!errored, "some secret parts have failed to initialize");174	Ok(())175}176177fn host_identity() -> anyhow::Result<SshIdentity> {178	let identity = SshIdentity::from_buffer(179		&mut Cursor::new(180			fs::read("/etc/ssh/ssh_host_ed25519_key").context("failed to read host private key")?,181		),182		None,183	)184	.context("failed to parse identity")?;185	Ok(identity)186}187188fn install(data: &Path) -> anyhow::Result<()> {189	let data = fs::read(data).context("failed to read secrets data")?;190	let data_str = from_utf8(&data).context("failed to read data to string")?;191	let data: Data = serde_json::from_str(data_str).context("failed to parse data")?;192193	if !fs::metadata("/run/secrets")194		.map(|m| m.is_dir())195		.unwrap_or(false)196	{197		fs::create_dir("/run/secrets").context("failed to create secrets directory")?;198	}199200	if data.is_empty() {201		info!("no secrets to install");202		return Ok(());203	}204205	let identity = host_identity()?;206207	let mut failed = false;208	for (name, value) in data {209		let _span = info_span!("init", name = name);210		if let Err(e) = init_secret(&identity, &value) {211			error!("secret {name:?} failed to initialize: {e}");212			failed = true;213		}214	}215	if failed {216		bail!("one or more secrets failed");217	}218219	Ok(())220}221222fn main() -> anyhow::Result<()> {223	tracing_subscriber::fmt()224		.with_env_filter(225			EnvFilter::builder()226				.with_default_directive(LevelFilter::INFO.into())227				.from_env_lossy(),228		)229		.without_time()230		.with_target(false)231		.init();232233	let opts = Opts::parse();234235	match opts {236		Opts::Install { data } => install(&data),237		Opts::Reencrypt { secret, targets } => {238			let identity = host_identity()?;239			let decrypted = decrypt(&secret, &identity).context("during decryption")?;240			let encrypted = encrypt(&decrypted, targets).context("during re-encryption")?;241242			println!("{encrypted}");243			Ok(())244		}245		Opts::Decrypt { secret, plaintext } => {246			let identity = host_identity()?;247			let decrypted = decrypt(&secret, &identity).context("during decryption")?;248249			if plaintext {250				let s = String::from_utf8(decrypted).context("output is not utf8")?;251				print!("{s}");252			} else {253				println!(254					"{}",255					SecretData {256						data: decrypted,257						encrypted: false258					}259				);260			}261			Ok(())262		}263	}264}