sops-nix/pkgs/sops-install-secrets/main.go

package main

import (
	"encoding/hex"
	"encoding/json"
	"errors"
	"flag"
	"fmt"
	"io/ioutil"
	"os"
	"os/user"
	"path/filepath"
	"strconv"
	"strings"

	"github.com/Mic92/sops-nix/pkgs/sshkeys"

	"github.com/mozilla-services/yaml"
	"go.mozilla.org/sops/v3/decrypt"
	"golang.org/x/sys/unix"
)

type secret struct {
	Name            string     `json:"name"`
	Key             string     `json:"key"`
	Path            string     `json:"path"`
	Owner           string     `json:"owner"`
	Group           string     `json:"group"`
	SopsFile        string     `json:"sopsFile"`
	Format          FormatType `json:"format"`
	Mode            string     `json:"mode"`
	RestartServices []string   `json:"restartServices"`
	ReloadServices  []string   `json:"reloadServices"`
	value           []byte
	mode            os.FileMode
	owner           int
	group           int
}

type manifest struct {
	Secrets           []secret `json:"secrets"`
	SecretsMountPoint string   `json:"secretsMountpoint"`
	SymlinkPath       string   `json:"symlinkPath"`
	SSHKeyPaths       []string `json:"sshKeyPaths"`
	GnupgHome         string   `json:"gnupgHome"`
}

type secretFile struct {							  
	cipherText []byte
	keys       map[string]interface{}
	/// First secret that defined this secretFile, used for error messages
	firstSecret *secret
}

type FormatType string

const (
	Yaml   FormatType = "yaml"
	Json   FormatType = "json"
	Binary FormatType = "binary"
)

func (f *FormatType) UnmarshalJSON(b []byte) error {
	var s string
	if err := json.Unmarshal(b, &s); err != nil {
		return err
	}
	var t = FormatType(s)
	switch t {
	case "":
		*f = Yaml
	case Yaml, Json, Binary:
		*f = t
	}

	return nil
}

func (f FormatType) MarshalJSON() ([]byte, error) {
	return json.Marshal(string(f))
}

type CheckMode string

const (
	Manifest CheckMode = "manifest"
	SopsFile CheckMode = "sopsfile"
	Off      CheckMode = "off"
)

type options struct {
	checkMode CheckMode
	manifest  string
}

type appContext struct {
	manifest    manifest
	secretFiles map[string]secretFile
	checkMode   CheckMode
}

func readManifest(path string) (*manifest, error) {
	file, err := os.Open(path)
	if err != nil {
		return nil, fmt.Errorf("Failed to open manifest: %s", err)
	}
	defer file.Close()
	dec := json.NewDecoder(file)
	var m manifest
	if err := dec.Decode(&m); err != nil {
		return nil, fmt.Errorf("Failed to parse manifest: %s", err)
	}
	return &m, nil
}

func symlinkSecret(targetFile string, secret *secret) error {
	for {
		currentLinkTarget, err := os.Readlink(secret.Path)
		if os.IsNotExist(err) {
			if err := os.Symlink(targetFile, secret.Path); err != nil {
				return fmt.Errorf("Cannot create symlink '%s': %s", secret.Path, err)
			}
			return nil
		} else if err != nil {
			return fmt.Errorf("Cannot read symlink: '%s'", err)
		} else if currentLinkTarget == targetFile {
			return nil
		}
		if err := os.Remove(secret.Path); err != nil {
			return fmt.Errorf("Cannot override %s", secret.Path)
		}
	}
}

func symlinkSecrets(targetDir string, secrets []secret) error {
	for _, secret := range secrets {
		targetFile := filepath.Join(targetDir, secret.Name)
		if targetFile == secret.Path {
			continue
		}
		parent := filepath.Dir(secret.Path)
		if err := os.MkdirAll(parent, os.ModePerm); err != nil {
			return fmt.Errorf("Cannot create parent directory of '%s': %s", secret.Path, err)
		}
		if err := symlinkSecret(targetFile, &secret); err != nil {
			return err
		}
	}
	return nil
}

type plainData struct {
	data   map[string]string
	binary []byte
}

func decryptSecret(s *secret, sourceFiles map[string]plainData) error {
	sourceFile := sourceFiles[s.SopsFile]
	if sourceFile.data == nil || sourceFile.binary == nil {
		plain, err := decrypt.File(s.SopsFile, string(s.Format))
		if err != nil {
			return fmt.Errorf("Failed to decrypt '%s': %s", s.SopsFile, err)
		}
		if s.Format == Binary {
			sourceFile.binary = plain
		} else {
			if s.Format == Yaml {
				if err := yaml.Unmarshal(plain, &sourceFile.data); err != nil {
					return fmt.Errorf("Cannot parse yaml of '%s': %s", s.SopsFile, err)
				}
			} else {
				if err := json.Unmarshal(plain, &sourceFile.data); err != nil {
					return fmt.Errorf("Cannot parse json of '%s': %s", s.SopsFile, err)
				}
			}
		}
	}
	if s.Format == Binary {
		s.value = sourceFile.binary
	} else {
		val, ok := sourceFile.data[s.Key]
		if !ok {
			return fmt.Errorf("The key '%s' cannot be found in '%s'", s.Key, s.SopsFile)
		}
		s.value = []byte(val)
	}
	sourceFiles[s.SopsFile] = sourceFile
	return nil
}

func decryptSecrets(secrets []secret) error {
	sourceFiles := make(map[string]plainData)
	for i := range secrets {
		if err := decryptSecret(&secrets[i], sourceFiles); err != nil {
			return err
		}
	}
	return nil
}

func mountSecretFs(mountpoint string, keysGid int) error {
	if err := os.MkdirAll(mountpoint, 0750); err != nil {
		return fmt.Errorf("Cannot create directory '%s': %s", mountpoint, err)
	}

	if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0750"); err != nil {
		return fmt.Errorf("Cannot mount: %s", err)
	}

	if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
		return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", mountpoint, keysGid, err)
	}

	return nil
}

func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int) (*string, error) {
	var generation uint64
	linkTarget, err := os.Readlink(linkName)
	if err == nil {
		if strings.HasPrefix(linkTarget, secretMountpoint) {
			targetBasename := filepath.Base(linkTarget)
			generation, err = strconv.ParseUint(targetBasename, 10, 64)
			if err != nil {
				return nil, fmt.Errorf("Cannot parse %s of %s as a number: %s", targetBasename, linkTarget, err)
			}
		}
	} else if !os.IsNotExist(err) {
		return nil, fmt.Errorf("Cannot access %s: %s", linkName, err)
	}
	generation++
	dir := filepath.Join(secretMountpoint, strconv.Itoa(int(generation)))
	if _, err := os.Stat(dir); !os.IsNotExist(err) {
		if err := os.RemoveAll(dir); err != nil {
			return nil, fmt.Errorf("Cannot remove existing %s: %s", dir, err)
		}
	}
	if err := os.Mkdir(dir, os.FileMode(0750)); err != nil {
		return nil, fmt.Errorf("mkdir(): %s", err)
	}
	if err := os.Chown(dir, 0, int(keysGid)); err != nil {
		return nil, fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", dir, keysGid, err)
	}
	return &dir, nil
}

func writeSecrets(secretDir string, secrets []secret) error {
	for _, secret := range secrets {
		filepath := filepath.Join(secretDir, secret.Name)
		if err := ioutil.WriteFile(filepath, []byte(secret.value), secret.mode); err != nil {
			return fmt.Errorf("Cannot write %s: %s", filepath, err)
		}
		if err := os.Chown(filepath, secret.owner, secret.group); err != nil {
			return fmt.Errorf("Cannot change owner/group of '%s' to %d/%d: %s", filepath, secret.owner, secret.group, err)
		}
	}
	return nil
}

func lookupKeysGroup() (int, error) {
	group, err := user.LookupGroup("keys")
	if err != nil {
		return 0, fmt.Errorf("Failed to lookup 'keys' group: %s", err)
	}
	gid, err := strconv.ParseInt(group.Gid, 10, 64)
	if err != nil {
		return 0, fmt.Errorf("Cannot parse keys gid %s: %s", group.Gid, err)
	}
	return int(gid), nil
}

func (app *appContext) loadSopsFile(s *secret) (*secretFile, error) {
	if app.checkMode == Manifest {
		return &secretFile{firstSecret: s}, nil
	}

	cipherText, err := ioutil.ReadFile(s.SopsFile)
	if err != nil {
		return nil, fmt.Errorf("Failed reading %s: %s", s.SopsFile, err)
	}

	var keys map[string]interface{}
	if s.Format == Binary {
		if err := json.Unmarshal(cipherText, &keys); err != nil {
			return nil, fmt.Errorf("Cannot parse json of '%s': %s", s.SopsFile, err)
		}
		return &secretFile{cipherText: cipherText, firstSecret: s}, nil
	}

	if s.Format == Yaml {
		if err := yaml.Unmarshal(cipherText, &keys); err != nil {
			return nil, fmt.Errorf("Cannot parse yaml of '%s': %s", s.SopsFile, err)
		}
	} else if err := json.Unmarshal(cipherText, &keys); err != nil {
		return nil, fmt.Errorf("Cannot parse json of '%s': %s", s.SopsFile, err)
	}

	return &secretFile{
		cipherText:  cipherText,
		keys:        keys,
		firstSecret: s,
	}, nil

}

func (app *appContext) validateSopsFile(s *secret, file *secretFile) error {
	if file.firstSecret.Format != s.Format {
		return fmt.Errorf("secret %s defined the format of %s as %s, but it was specified as %s in %s before",
			s.Name, s.SopsFile, s.Format,
			file.firstSecret.Format, file.firstSecret.Name)
	}
	if app.checkMode != Manifest && s.Format != Binary {
		if _, ok := file.keys[s.Key]; !ok {
			return fmt.Errorf("secret %s with the key %s not found in %s", s.Name, s.Key, s.SopsFile)
		}
	}
	return nil
}

func (app *appContext) validateSecret(secret *secret) error {
	mode, err := strconv.ParseUint(secret.Mode, 8, 16)
	if err != nil {
		return fmt.Errorf("Invalid number in mode: %d: %s", mode, err)
	}
	secret.mode = os.FileMode(mode)

	owner, err := user.Lookup(secret.Owner)
	if err != nil {
		return fmt.Errorf("Failed to lookup user '%s': %s", secret.Owner, err)
	}
	ownerNr, err := strconv.ParseUint(owner.Uid, 10, 64)
	if err != nil {
		return fmt.Errorf("Cannot parse uid %s: %s", owner.Uid, err)
	}
	secret.owner = int(ownerNr)

	group, err := user.LookupGroup(secret.Group)
	if err != nil {
		return fmt.Errorf("Failed to lookup group '%s': %s", secret.Group, err)
	}
	groupNr, err := strconv.ParseUint(group.Gid, 10, 64)
	if err != nil {
		return fmt.Errorf("Cannot parse gid %s: %s", group.Gid, err)
	}
	secret.group = int(groupNr)

	if secret.Format == "" {
		secret.Format = "yaml"
	}

	if secret.Format != "yaml" && secret.Format != "json" && secret.Format != "binary" {
		return fmt.Errorf("Unsupported format %s for secret %s", secret.Format, secret.Name)
	}

	file, ok := app.secretFiles[secret.SopsFile]
	if !ok {
		maybeFile, err := app.loadSopsFile(secret)
		if err != nil {
			return err
		}
		app.secretFiles[secret.SopsFile] = *maybeFile
		file = *maybeFile
	}

	return app.validateSopsFile(secret, &file)
}

func (app *appContext) validateManifest() error {
	m := &app.manifest
	if m.SecretsMountPoint == "" {
		m.SecretsMountPoint = "/run/secrets.d"
	}
	if m.SymlinkPath == "" {
		m.SymlinkPath = "/run/secrets"
	}
	if len(m.SSHKeyPaths) > 0 && m.GnupgHome != "" {
		return errors.New("gnupgHome and sshKeyPaths were specified in the manifest. " +
			"Both options are mutual exclusive.")
	}
	for i := range m.Secrets {
		if err := app.validateSecret(&m.Secrets[i]); err != nil {
			return err
		}
	}
	return nil
}

func atomicSymlink(oldname, newname string) error {
	// Fast path: if newname does not exist yet, we can skip the whole dance
	// below.
	if err := os.Symlink(oldname, newname); err == nil || !os.IsExist(err) {
		return err
	}

	// We need to use ioutil.TempDir, as we cannot overwrite a ioutil.TempFile,
	// and removing+symlinking creates a TOCTOU race.
	d, err := ioutil.TempDir(filepath.Dir(newname), "."+filepath.Base(newname))
	if err != nil {
		return err
	}
	cleanup := true
	defer func() {
		if cleanup {
			os.RemoveAll(d)
		}
	}()

	symlink := filepath.Join(d, "tmp.symlink")
	if err := os.Symlink(oldname, symlink); err != nil {
		return err
	}

	if err := os.Rename(symlink, newname); err != nil {
		return err
	}

	cleanup = false
	return os.RemoveAll(d)
}

func importSSHKeys(keyPaths []string, gpgHome string) error {
	secringPath := filepath.Join(gpgHome, "secring.gpg")

	secring, err := os.OpenFile(secringPath, os.O_WRONLY|os.O_CREATE, 0600)
	if err != nil {
		return fmt.Errorf("Cannot create %s: %s", secringPath, err)
	}
	for _, path := range keyPaths {
		sshKey, err := ioutil.ReadFile(path)
		if err != nil {
			return fmt.Errorf("Cannot read ssh key '%s': %s", path, err)
		}
		gpgKey, err := sshkeys.SSHPrivateKeyToPGP(sshKey)
		if err != nil {
			return err
		}

		if err := gpgKey.SerializePrivate(secring, nil); err != nil {
			return fmt.Errorf("Cannot write secring: %s", err)
		}

		fmt.Printf("%s: Imported %s with fingerprint %s\n", os.Args[0], path, hex.EncodeToString(gpgKey.PrimaryKey.Fingerprint[:]))
	}

	return nil
}

type keyring struct {
	path string
}

func (k *keyring) Remove() {
	os.RemoveAll(k.path)
	os.Unsetenv("GNUPGHOME")
}

func setupGPGKeyring(sshKeys []string, parentDir string) (*keyring, error) {
	dir, err := ioutil.TempDir(parentDir, "gpg")
	if err != nil {
		return nil, fmt.Errorf("Cannot create gpg home in '%s': %s", parentDir, err)
	}
	k := keyring{dir}

	if err := importSSHKeys(sshKeys, dir); err != nil {
		os.RemoveAll(dir)
		return nil, err
	}
	os.Setenv("GNUPGHOME", dir)

	return &k, nil
}

func parseFlags(args []string) (*options, error) {
	var opts options
	fs := flag.NewFlagSet(args[0], flag.ContinueOnError)
	fs.Usage = func() {
		fmt.Fprintf(flag.CommandLine.Output(), "Usage: %s [OPTION] manifest.json\n", args[0])
		fs.PrintDefaults()
	}
	var checkMode string
	fs.StringVar(&checkMode, "check-mode", "off", `Validate configuration without installing it (possible values: "manifest","sopsfile","off")`)
	if err := fs.Parse(args[1:]); err != nil {
		return nil, err
	}

	switch CheckMode(checkMode) {
	case Manifest, SopsFile, Off:
		opts.checkMode = CheckMode(checkMode)
	default:
		return nil, fmt.Errorf("Invalid value provided for -check-mode flag: %s", opts.checkMode)
	}

	if fs.NArg() != 1 {
		flag.Usage()
		return nil, flag.ErrHelp
	}
	opts.manifest = fs.Arg(0)
	return &opts, nil
}

func installSecrets(args []string) error {
	opts, err := parseFlags(args)
	if err != nil {
		return err
	}

	manifest, err := readManifest(opts.manifest)
	if err != nil {
		return err
	}

	app := appContext{
		manifest:    *manifest,
		checkMode:   opts.checkMode,
		secretFiles: make(map[string]secretFile),
	}

	if err := app.validateManifest(); err != nil {
		return fmt.Errorf("Manifest is not valid: %s", err)
	}

	if app.checkMode != Off {
		return nil
	}

	keysGid, err := lookupKeysGroup()
	if err != nil {
		return err
	}

	if err := mountSecretFs(manifest.SecretsMountPoint, keysGid); err != nil {
		return fmt.Errorf("Failed to mount filesystem for secrets: %s", err)
	}

	if len(manifest.SSHKeyPaths) != 0 {
		keyring, err := setupGPGKeyring(manifest.SSHKeyPaths, manifest.SecretsMountPoint)
		if err != nil {
			return fmt.Errorf("Error setting up gpg keyring: %s", err)
		}
		defer keyring.Remove()
	} else if manifest.GnupgHome != "" {
		os.Setenv("GNUPGHOME", manifest.GnupgHome)
	}

	if err := decryptSecrets(manifest.Secrets); err != nil {
		return err
	}

	secretDir, err := prepareSecretsDir(manifest.SecretsMountPoint, manifest.SymlinkPath, keysGid)
	if err != nil {
		return fmt.Errorf("Failed to prepare new secrets directory: %s", err)
	}
	if err := writeSecrets(*secretDir, manifest.Secrets); err != nil {
		return fmt.Errorf("Cannot write secrets: %s", err)
	}
	if err := symlinkSecrets(manifest.SymlinkPath, manifest.Secrets); err != nil {
		return fmt.Errorf("Failed to prepare symlinks to secret store: %s", err)
	}
	if err := atomicSymlink(*secretDir, manifest.SymlinkPath); err != nil {
		return fmt.Errorf("Cannot update secrets symlink: %s", err)
	}

	return nil

}

func main() {
	if err := installSecrets(os.Args); err != nil {
		if err == flag.ErrHelp {
			return
		}
		fmt.Fprintf(os.Stderr, "%s: %s\n", os.Args[0], err)
		os.Exit(1)
	}
}
first commit 2020-07-06 06:30:09 +00:00			`package main`

			`import (`
sops-install-secrets: log gpg fingerprint 2020-07-14 12:41:32 +00:00			`"encoding/hex"`
first commit 2020-07-06 06:30:09 +00:00			`"encoding/json"`
add tests + ssh key support 2020-07-12 12:50:55 +00:00			`"errors"`
add validate flag 2020-07-19 10:32:59 +00:00			`"flag"`
first commit 2020-07-06 06:30:09 +00:00			`"fmt"`
			`"io/ioutil"`
			`"os"`
			`"os/user"`
			`"path/filepath"`
			`"strconv"`
			`"strings"`

add tests + ssh key support 2020-07-12 12:50:55 +00:00			`"github.com/Mic92/sops-nix/pkgs/sshkeys"`

first commit 2020-07-06 06:30:09 +00:00			`"github.com/mozilla-services/yaml"`
			`"go.mozilla.org/sops/v3/decrypt"`
			`"golang.org/x/sys/unix"`
			`)`

			`type secret struct {`
add validation mode 2020-07-19 16:09:27 +00:00			Name string `json:"name"`
			Key string `json:"key"`
			Path string `json:"path"`
			Owner string `json:"owner"`
			Group string `json:"group"`
			SopsFile string `json:"sopsFile"`
			Format FormatType `json:"format"`
			Mode string `json:"mode"`
			RestartServices []string `json:"restartServices"`
			ReloadServices []string `json:"reloadServices"`
first commit 2020-07-06 06:30:09 +00:00			`value []byte`
			`mode os.FileMode`
			`owner int`
			`group int`
			`}`

			`type manifest struct {`
			Secrets []secret `json:"secrets"`
			SecretsMountPoint string `json:"secretsMountpoint"`
			SymlinkPath string `json:"symlinkPath"`
add tests + ssh key support 2020-07-12 12:50:55 +00:00			SSHKeyPaths []string `json:"sshKeyPaths"`
add validate flag 2020-07-19 10:32:59 +00:00			GnupgHome string `json:"gnupgHome"`
first commit 2020-07-06 06:30:09 +00:00			`}`

add validation mode 2020-07-19 16:09:27 +00:00			`type secretFile struct {`
			`cipherText []byte`
			`keys map[string]interface{}`
			`/// First secret that defined this secretFile, used for error messages`
			`firstSecret *secret`
			`}`

			`type FormatType string`

			`const (`
			`Yaml FormatType = "yaml"`
			`Json FormatType = "json"`
			`Binary FormatType = "binary"`
			`)`

			`func (f *FormatType) UnmarshalJSON(b []byte) error {`
			`var s string`
			`if err := json.Unmarshal(b, &s); err != nil {`
			`return err`
			`}`
			`var t = FormatType(s)`
			`switch t {`
			`case "":`
			`*f = Yaml`
			`case Yaml, Json, Binary:`
			`*f = t`
			`}`

			`return nil`
			`}`

			`func (f FormatType) MarshalJSON() ([]byte, error) {`
			`return json.Marshal(string(f))`
			`}`

			`type CheckMode string`

			`const (`
			`Manifest CheckMode = "manifest"`
			`SopsFile CheckMode = "sopsfile"`
			`Off CheckMode = "off"`
			`)`

			`type options struct {`
			`checkMode CheckMode`
			`manifest string`
			`}`

			`type appContext struct {`
			`manifest manifest`
			`secretFiles map[string]secretFile`
			`checkMode CheckMode`
			`}`

first commit 2020-07-06 06:30:09 +00:00			`func readManifest(path string) (*manifest, error) {`
			`file, err := os.Open(path)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to open manifest: %s", err)`
			`}`
			`defer file.Close()`
			`dec := json.NewDecoder(file)`
			`var m manifest`
			`if err := dec.Decode(&m); err != nil {`
			`return nil, fmt.Errorf("Failed to parse manifest: %s", err)`
			`}`
			`return &m, nil`
			`}`

add tests + ssh key support 2020-07-12 12:50:55 +00:00			`func symlinkSecret(targetFile string, secret *secret) error {`
			`for {`
			`currentLinkTarget, err := os.Readlink(secret.Path)`
			`if os.IsNotExist(err) {`
			`if err := os.Symlink(targetFile, secret.Path); err != nil {`
			`return fmt.Errorf("Cannot create symlink '%s': %s", secret.Path, err)`
			`}`
			`return nil`
			`} else if err != nil {`
			`return fmt.Errorf("Cannot read symlink: '%s'", err)`
			`} else if currentLinkTarget == targetFile {`
			`return nil`
			`}`
			`if err := os.Remove(secret.Path); err != nil {`
			`return fmt.Errorf("Cannot override %s", secret.Path)`
			`}`
			`}`
			`}`

			`func symlinkSecrets(targetDir string, secrets []secret) error {`
first commit 2020-07-06 06:30:09 +00:00			`for _, secret := range secrets {`
			`targetFile := filepath.Join(targetDir, secret.Name)`
			`if targetFile == secret.Path {`
			`continue`
			`}`
			`parent := filepath.Dir(secret.Path)`
			`if err := os.MkdirAll(parent, os.ModePerm); err != nil {`
			`return fmt.Errorf("Cannot create parent directory of '%s': %s", secret.Path, err)`
			`}`
add tests + ssh key support 2020-07-12 12:50:55 +00:00			`if err := symlinkSecret(targetFile, &secret); err != nil {`
			`return err`
first commit 2020-07-06 06:30:09 +00:00			`}`
			`}`
			`return nil`
			`}`

			`type plainData struct {`
			`data map[string]string`
			`binary []byte`
			`}`

			`func decryptSecret(s *secret, sourceFiles map[string]plainData) error {`
			`sourceFile := sourceFiles[s.SopsFile]`
			`if sourceFile.data == nil \|\| sourceFile.binary == nil {`
add validation mode 2020-07-19 16:09:27 +00:00			`plain, err := decrypt.File(s.SopsFile, string(s.Format))`
first commit 2020-07-06 06:30:09 +00:00			`if err != nil {`
			`return fmt.Errorf("Failed to decrypt '%s': %s", s.SopsFile, err)`
			`}`
add validation mode 2020-07-19 16:09:27 +00:00			`if s.Format == Binary {`
first commit 2020-07-06 06:30:09 +00:00			`sourceFile.binary = plain`
			`} else {`
add validation mode 2020-07-19 16:09:27 +00:00			`if s.Format == Yaml {`
first commit 2020-07-06 06:30:09 +00:00			`if err := yaml.Unmarshal(plain, &sourceFile.data); err != nil {`
			`return fmt.Errorf("Cannot parse yaml of '%s': %s", s.SopsFile, err)`
			`}`
			`} else {`
			`if err := json.Unmarshal(plain, &sourceFile.data); err != nil {`
			`return fmt.Errorf("Cannot parse json of '%s': %s", s.SopsFile, err)`
			`}`
			`}`
			`}`
			`}`
add validation mode 2020-07-19 16:09:27 +00:00			`if s.Format == Binary {`
first commit 2020-07-06 06:30:09 +00:00			`s.value = sourceFile.binary`
			`} else {`
			`val, ok := sourceFile.data[s.Key]`
			`if !ok {`
			`return fmt.Errorf("The key '%s' cannot be found in '%s'", s.Key, s.SopsFile)`
			`}`
			`s.value = []byte(val)`
			`}`
			`sourceFiles[s.SopsFile] = sourceFile`
			`return nil`
			`}`

			`func decryptSecrets(secrets []secret) error {`
			`sourceFiles := make(map[string]plainData)`
			`for i := range secrets {`
			`if err := decryptSecret(&secrets[i], sourceFiles); err != nil {`
			`return err`
			`}`
			`}`
			`return nil`
			`}`

add tests + ssh key support 2020-07-12 12:50:55 +00:00			`func mountSecretFs(mountpoint string, keysGid int) error {`
first commit 2020-07-06 06:30:09 +00:00			`if err := os.MkdirAll(mountpoint, 0750); err != nil {`
			`return fmt.Errorf("Cannot create directory '%s': %s", mountpoint, err)`
			`}`

			`if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV\|unix.MS_NOSUID, "mode=0750"); err != nil {`
			`return fmt.Errorf("Cannot mount: %s", err)`
			`}`

fix /etc/secrets.d permissions 2020-07-14 12:21:07 +00:00			`if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {`
			`return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", mountpoint, keysGid, err)`
			`}`

first commit 2020-07-06 06:30:09 +00:00			`return nil`
			`}`

			`func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int) (*string, error) {`
			`var generation uint64`
			`linkTarget, err := os.Readlink(linkName)`
			`if err == nil {`
			`if strings.HasPrefix(linkTarget, secretMountpoint) {`
			`targetBasename := filepath.Base(linkTarget)`
			`generation, err = strconv.ParseUint(targetBasename, 10, 64)`
			`if err != nil {`
			`return nil, fmt.Errorf("Cannot parse %s of %s as a number: %s", targetBasename, linkTarget, err)`
			`}`
			`}`
			`} else if !os.IsNotExist(err) {`
			`return nil, fmt.Errorf("Cannot access %s: %s", linkName, err)`
			`}`
			`generation++`
			`dir := filepath.Join(secretMountpoint, strconv.Itoa(int(generation)))`
			`if _, err := os.Stat(dir); !os.IsNotExist(err) {`
			`if err := os.RemoveAll(dir); err != nil {`
			`return nil, fmt.Errorf("Cannot remove existing %s: %s", dir, err)`
			`}`
			`}`
			`if err := os.Mkdir(dir, os.FileMode(0750)); err != nil {`
			`return nil, fmt.Errorf("mkdir(): %s", err)`
			`}`
			`if err := os.Chown(dir, 0, int(keysGid)); err != nil {`
			`return nil, fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", dir, keysGid, err)`
			`}`
			`return &dir, nil`
			`}`

			`func writeSecrets(secretDir string, secrets []secret) error {`
			`for _, secret := range secrets {`
			`filepath := filepath.Join(secretDir, secret.Name)`
			`if err := ioutil.WriteFile(filepath, []byte(secret.value), secret.mode); err != nil {`
			`return fmt.Errorf("Cannot write %s: %s", filepath, err)`
			`}`
			`if err := os.Chown(filepath, secret.owner, secret.group); err != nil {`
			`return fmt.Errorf("Cannot change owner/group of '%s' to %d/%d: %s", filepath, secret.owner, secret.group, err)`
			`}`
			`}`
			`return nil`
			`}`

			`func lookupKeysGroup() (int, error) {`
			`group, err := user.LookupGroup("keys")`
			`if err != nil {`
			`return 0, fmt.Errorf("Failed to lookup 'keys' group: %s", err)`
			`}`
			`gid, err := strconv.ParseInt(group.Gid, 10, 64)`
			`if err != nil {`
			`return 0, fmt.Errorf("Cannot parse keys gid %s: %s", group.Gid, err)`
			`}`
			`return int(gid), nil`
			`}`

add validation mode 2020-07-19 16:09:27 +00:00			`func (app appContext) loadSopsFile(s secret) (*secretFile, error) {`
			`if app.checkMode == Manifest {`
			`return &secretFile{firstSecret: s}, nil`
			`}`

			`cipherText, err := ioutil.ReadFile(s.SopsFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed reading %s: %s", s.SopsFile, err)`
			`}`

			`var keys map[string]interface{}`
			`if s.Format == Binary {`
			`if err := json.Unmarshal(cipherText, &keys); err != nil {`
			`return nil, fmt.Errorf("Cannot parse json of '%s': %s", s.SopsFile, err)`
			`}`
			`return &secretFile{cipherText: cipherText, firstSecret: s}, nil`
			`}`

			`if s.Format == Yaml {`
			`if err := yaml.Unmarshal(cipherText, &keys); err != nil {`
			`return nil, fmt.Errorf("Cannot parse yaml of '%s': %s", s.SopsFile, err)`
			`}`
			`} else if err := json.Unmarshal(cipherText, &keys); err != nil {`
			`return nil, fmt.Errorf("Cannot parse json of '%s': %s", s.SopsFile, err)`
			`}`

			`return &secretFile{`
			`cipherText: cipherText,`
			`keys: keys,`
			`firstSecret: s,`
			`}, nil`

			`}`

			`func (app appContext) validateSopsFile(s secret, file *secretFile) error {`
			`if file.firstSecret.Format != s.Format {`
			`return fmt.Errorf("secret %s defined the format of %s as %s, but it was specified as %s in %s before",`
			`s.Name, s.SopsFile, s.Format,`
			`file.firstSecret.Format, file.firstSecret.Name)`
			`}`
			`if app.checkMode != Manifest && s.Format != Binary {`
			`if _, ok := file.keys[s.Key]; !ok {`
			`return fmt.Errorf("secret %s with the key %s not found in %s", s.Name, s.Key, s.SopsFile)`
			`}`
			`}`
			`return nil`
			`}`

			`func (app appContext) validateSecret(secret secret) error {`
first commit 2020-07-06 06:30:09 +00:00			`mode, err := strconv.ParseUint(secret.Mode, 8, 16)`
			`if err != nil {`
			`return fmt.Errorf("Invalid number in mode: %d: %s", mode, err)`
			`}`
			`secret.mode = os.FileMode(mode)`

			`owner, err := user.Lookup(secret.Owner)`
			`if err != nil {`
			`return fmt.Errorf("Failed to lookup user '%s': %s", secret.Owner, err)`
			`}`
			`ownerNr, err := strconv.ParseUint(owner.Uid, 10, 64)`
			`if err != nil {`
			`return fmt.Errorf("Cannot parse uid %s: %s", owner.Uid, err)`
			`}`
			`secret.owner = int(ownerNr)`

			`group, err := user.LookupGroup(secret.Group)`
			`if err != nil {`
			`return fmt.Errorf("Failed to lookup group '%s': %s", secret.Group, err)`
			`}`
			`groupNr, err := strconv.ParseUint(group.Gid, 10, 64)`
			`if err != nil {`
			`return fmt.Errorf("Cannot parse gid %s: %s", group.Gid, err)`
			`}`
			`secret.group = int(groupNr)`

			`if secret.Format == "" {`
			`secret.Format = "yaml"`
			`}`

			`if secret.Format != "yaml" && secret.Format != "json" && secret.Format != "binary" {`
add validation mode 2020-07-19 16:09:27 +00:00			`return fmt.Errorf("Unsupported format %s for secret %s", secret.Format, secret.Name)`
first commit 2020-07-06 06:30:09 +00:00			`}`

add validation mode 2020-07-19 16:09:27 +00:00			`file, ok := app.secretFiles[secret.SopsFile]`
			`if !ok {`
			`maybeFile, err := app.loadSopsFile(secret)`
			`if err != nil {`
			`return err`
			`}`
			`app.secretFiles[secret.SopsFile] = *maybeFile`
			`file = *maybeFile`
			`}`

			`return app.validateSopsFile(secret, &file)`
first commit 2020-07-06 06:30:09 +00:00			`}`

add validation mode 2020-07-19 16:09:27 +00:00			`func (app *appContext) validateManifest() error {`
			`m := &app.manifest`
first commit 2020-07-06 06:30:09 +00:00			`if m.SecretsMountPoint == "" {`
			`m.SecretsMountPoint = "/run/secrets.d"`
			`}`
			`if m.SymlinkPath == "" {`
			`m.SymlinkPath = "/run/secrets"`
			`}`
add tests + ssh key support 2020-07-12 12:50:55 +00:00			`if len(m.SSHKeyPaths) > 0 && m.GnupgHome != "" {`
			`return errors.New("gnupgHome and sshKeyPaths were specified in the manifest. " +`
			`"Both options are mutual exclusive.")`
			`}`
first commit 2020-07-06 06:30:09 +00:00			`for i := range m.Secrets {`
add validation mode 2020-07-19 16:09:27 +00:00			`if err := app.validateSecret(&m.Secrets[i]); err != nil {`
first commit 2020-07-06 06:30:09 +00:00			`return err`
			`}`
			`}`
			`return nil`
			`}`

			`func atomicSymlink(oldname, newname string) error {`
			`// Fast path: if newname does not exist yet, we can skip the whole dance`
			`// below.`
			`if err := os.Symlink(oldname, newname); err == nil \|\| !os.IsExist(err) {`
			`return err`
			`}`

			`// We need to use ioutil.TempDir, as we cannot overwrite a ioutil.TempFile,`
			`// and removing+symlinking creates a TOCTOU race.`
			`d, err := ioutil.TempDir(filepath.Dir(newname), "."+filepath.Base(newname))`
			`if err != nil {`
			`return err`
			`}`
			`cleanup := true`
			`defer func() {`
			`if cleanup {`
			`os.RemoveAll(d)`
			`}`
			`}()`

			`symlink := filepath.Join(d, "tmp.symlink")`
			`if err := os.Symlink(oldname, symlink); err != nil {`
			`return err`
			`}`

			`if err := os.Rename(symlink, newname); err != nil {`
			`return err`
			`}`

			`cleanup = false`
			`return os.RemoveAll(d)`
			`}`

add tests + ssh key support 2020-07-12 12:50:55 +00:00			`func importSSHKeys(keyPaths []string, gpgHome string) error {`
			`secringPath := filepath.Join(gpgHome, "secring.gpg")`
secring: open with more secure umask 2020-07-14 12:41:03 +00:00
			`secring, err := os.OpenFile(secringPath, os.O_WRONLY\|os.O_CREATE, 0600)`
add tests + ssh key support 2020-07-12 12:50:55 +00:00			`if err != nil {`
			`return fmt.Errorf("Cannot create %s: %s", secringPath, err)`
			`}`
			`for _, path := range keyPaths {`
			`sshKey, err := ioutil.ReadFile(path)`
			`if err != nil {`
			`return fmt.Errorf("Cannot read ssh key '%s': %s", path, err)`
			`}`
			`gpgKey, err := sshkeys.SSHPrivateKeyToPGP(sshKey)`
			`if err != nil {`
			`return err`
			`}`
sops-install-secrets: log gpg fingerprint 2020-07-14 12:41:32 +00:00
add tests + ssh key support 2020-07-12 12:50:55 +00:00			`if err := gpgKey.SerializePrivate(secring, nil); err != nil {`
			`return fmt.Errorf("Cannot write secring: %s", err)`
			`}`
sops-install-secrets: log gpg fingerprint 2020-07-14 12:41:32 +00:00
sops-install-secrets: improve error message 2020-07-14 12:49:54 +00:00			`fmt.Printf("%s: Imported %s with fingerprint %s\n", os.Args[0], path, hex.EncodeToString(gpgKey.PrimaryKey.Fingerprint[:]))`
add tests + ssh key support 2020-07-12 12:50:55 +00:00			`}`

			`return nil`
			`}`

			`type keyring struct {`
			`path string`
			`}`

			`func (k *keyring) Remove() {`
			`os.RemoveAll(k.path)`
			`os.Unsetenv("GNUPGHOME")`
			`}`

			`func setupGPGKeyring(sshKeys []string, parentDir string) (*keyring, error) {`
			`dir, err := ioutil.TempDir(parentDir, "gpg")`
			`if err != nil {`
			`return nil, fmt.Errorf("Cannot create gpg home in '%s': %s", parentDir, err)`
			`}`
			`k := keyring{dir}`

			`if err := importSSHKeys(sshKeys, dir); err != nil {`
			`os.RemoveAll(dir)`
			`return nil, err`
			`}`
			`os.Setenv("GNUPGHOME", dir)`

			`return &k, nil`
			`}`

add validate flag 2020-07-19 10:32:59 +00:00			`func parseFlags(args []string) (*options, error) {`
			`var opts options`
			`fs := flag.NewFlagSet(args[0], flag.ContinueOnError)`
			`fs.Usage = func() {`
			`fmt.Fprintf(flag.CommandLine.Output(), "Usage: %s [OPTION] manifest.json\n", args[0])`
			`fs.PrintDefaults()`
			`}`
add validation mode 2020-07-19 16:09:27 +00:00			`var checkMode string`
			fs.StringVar(&checkMode, "check-mode", "off", `Validate configuration without installing it (possible values: "manifest","sopsfile","off")`)
add validate flag 2020-07-19 10:32:59 +00:00			`if err := fs.Parse(args[1:]); err != nil {`
			`return nil, err`
			`}`

add validation mode 2020-07-19 16:09:27 +00:00			`switch CheckMode(checkMode) {`
			`case Manifest, SopsFile, Off:`
			`opts.checkMode = CheckMode(checkMode)`
			`default:`
			`return nil, fmt.Errorf("Invalid value provided for -check-mode flag: %s", opts.checkMode)`
			`}`

add validate flag 2020-07-19 10:32:59 +00:00			`if fs.NArg() != 1 {`
			`flag.Usage()`
			`return nil, flag.ErrHelp`
			`}`
			`opts.manifest = fs.Arg(0)`
			`return &opts, nil`
			`}`

first commit 2020-07-06 06:30:09 +00:00			`func installSecrets(args []string) error {`
add validate flag 2020-07-19 10:32:59 +00:00			`opts, err := parseFlags(args)`
			`if err != nil {`
			`return err`
first commit 2020-07-06 06:30:09 +00:00			`}`
add validate flag 2020-07-19 10:32:59 +00:00
			`manifest, err := readManifest(opts.manifest)`
first commit 2020-07-06 06:30:09 +00:00			`if err != nil {`
add tests + ssh key support 2020-07-12 12:50:55 +00:00			`return err`
first commit 2020-07-06 06:30:09 +00:00			`}`

add validation mode 2020-07-19 16:09:27 +00:00			`app := appContext{`
			`manifest: *manifest,`
			`checkMode: opts.checkMode,`
			`secretFiles: make(map[string]secretFile),`
			`}`

			`if err := app.validateManifest(); err != nil {`
first commit 2020-07-06 06:30:09 +00:00			`return fmt.Errorf("Manifest is not valid: %s", err)`
			`}`

add validation mode 2020-07-19 16:09:27 +00:00			`if app.checkMode != Off {`
add validate flag 2020-07-19 10:32:59 +00:00			`return nil`
			`}`

first commit 2020-07-06 06:30:09 +00:00			`keysGid, err := lookupKeysGroup()`
			`if err != nil {`
			`return err`
			`}`

add tests + ssh key support 2020-07-12 12:50:55 +00:00			`if err := mountSecretFs(manifest.SecretsMountPoint, keysGid); err != nil {`
			`return fmt.Errorf("Failed to mount filesystem for secrets: %s", err)`
first commit 2020-07-06 06:30:09 +00:00			`}`

add tests + ssh key support 2020-07-12 12:50:55 +00:00			`if len(manifest.SSHKeyPaths) != 0 {`
			`keyring, err := setupGPGKeyring(manifest.SSHKeyPaths, manifest.SecretsMountPoint)`
			`if err != nil {`
			`return fmt.Errorf("Error setting up gpg keyring: %s", err)`
			`}`
			`defer keyring.Remove()`
			`} else if manifest.GnupgHome != "" {`
			`os.Setenv("GNUPGHOME", manifest.GnupgHome)`
first commit 2020-07-06 06:30:09 +00:00			`}`
add tests + ssh key support 2020-07-12 12:50:55 +00:00
			`if err := decryptSecrets(manifest.Secrets); err != nil {`
			`return err`
first commit 2020-07-06 06:30:09 +00:00			`}`
add tests + ssh key support 2020-07-12 12:50:55 +00:00
first commit 2020-07-06 06:30:09 +00:00			`secretDir, err := prepareSecretsDir(manifest.SecretsMountPoint, manifest.SymlinkPath, keysGid)`
			`if err != nil {`
			`return fmt.Errorf("Failed to prepare new secrets directory: %s", err)`
			`}`
			`if err := writeSecrets(*secretDir, manifest.Secrets); err != nil {`
			`return fmt.Errorf("Cannot write secrets: %s", err)`
			`}`
add tests + ssh key support 2020-07-12 12:50:55 +00:00			`if err := symlinkSecrets(manifest.SymlinkPath, manifest.Secrets); err != nil {`
			`return fmt.Errorf("Failed to prepare symlinks to secret store: %s", err)`
			`}`
first commit 2020-07-06 06:30:09 +00:00			`if err := atomicSymlink(*secretDir, manifest.SymlinkPath); err != nil {`
			`return fmt.Errorf("Cannot update secrets symlink: %s", err)`
			`}`

			`return nil`

			`}`

			`func main() {`
			`if err := installSecrets(os.Args); err != nil {`
add validate flag 2020-07-19 10:32:59 +00:00			`if err == flag.ErrHelp {`
			`return`
			`}`
first commit 2020-07-06 06:30:09 +00:00			`fmt.Fprintf(os.Stderr, "%s: %s\n", os.Args[0], err)`
			`os.Exit(1)`
			`}`
			`}`