From 30c6879b423e2efdd451e99783cdfe5551e0bdcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 19 Jul 2020 17:09:27 +0100 Subject: [PATCH] add validation mode --- pkgs/sops-install-secrets/main.go | 177 +++++++++++++++++++++---- pkgs/sops-install-secrets/main_test.go | 31 +++++ 2 files changed, 180 insertions(+), 28 deletions(-) diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go index 6f09e3f..ddae4da 100644 --- a/pkgs/sops-install-secrets/main.go +++ b/pkgs/sops-install-secrets/main.go @@ -21,16 +21,16 @@ import ( ) type secret struct { - Name string `json:"name"` - Key string `json:"key"` - Path string `json:"path"` - Owner string `json:"owner"` - Group string `json:"group"` - SopsFile string `json:"sopsFile"` - Format string `json:"format"` - Mode string `json:"mode"` - RestartServices []string `json:"restartServices"` - ReloadServices []string `json:"reloadServices"` + Name string `json:"name"` + Key string `json:"key"` + Path string `json:"path"` + Owner string `json:"owner"` + Group string `json:"group"` + SopsFile string `json:"sopsFile"` + Format FormatType `json:"format"` + Mode string `json:"mode"` + RestartServices []string `json:"restartServices"` + ReloadServices []string `json:"reloadServices"` value []byte mode os.FileMode owner int @@ -45,6 +45,60 @@ type manifest struct { GnupgHome string `json:"gnupgHome"` } +type secretFile struct { + cipherText []byte + keys map[string]interface{} + /// First secret that defined this secretFile, used for error messages + firstSecret *secret +} + +type FormatType string + +const ( + Yaml FormatType = "yaml" + Json FormatType = "json" + Binary FormatType = "binary" +) + +func (f *FormatType) UnmarshalJSON(b []byte) error { + var s string + if err := json.Unmarshal(b, &s); err != nil { + return err + } + var t = FormatType(s) + switch t { + case "": + *f = Yaml + case Yaml, Json, Binary: + *f = t + } + + return nil +} + +func (f FormatType) MarshalJSON() ([]byte, error) { + return json.Marshal(string(f)) +} + +type CheckMode string + +const ( + Manifest CheckMode = "manifest" + SopsFile CheckMode = "sopsfile" + Off CheckMode = "off" +) + +type options struct { + checkMode CheckMode + manifest string +} + +type appContext struct { + manifest manifest + secretFiles map[string]secretFile + checkMode CheckMode +} + func readManifest(path string) (*manifest, error) { file, err := os.Open(path) if err != nil { @@ -103,14 +157,14 @@ type plainData struct { func decryptSecret(s *secret, sourceFiles map[string]plainData) error { sourceFile := sourceFiles[s.SopsFile] if sourceFile.data == nil || sourceFile.binary == nil { - plain, err := decrypt.File(s.SopsFile, s.Format) + plain, err := decrypt.File(s.SopsFile, string(s.Format)) if err != nil { return fmt.Errorf("Failed to decrypt '%s': %s", s.SopsFile, err) } - if s.Format == "binary" { + if s.Format == Binary { sourceFile.binary = plain } else { - if s.Format == "yaml" { + if s.Format == Yaml { if err := yaml.Unmarshal(plain, &sourceFile.data); err != nil { return fmt.Errorf("Cannot parse yaml of '%s': %s", s.SopsFile, err) } @@ -121,7 +175,7 @@ func decryptSecret(s *secret, sourceFiles map[string]plainData) error { } } } - if s.Format == "binary" { + if s.Format == Binary { s.value = sourceFile.binary } else { val, ok := sourceFile.data[s.Key] @@ -215,7 +269,55 @@ func lookupKeysGroup() (int, error) { return int(gid), nil } -func validateSecret(secret *secret) error { +func (app *appContext) loadSopsFile(s *secret) (*secretFile, error) { + if app.checkMode == Manifest { + return &secretFile{firstSecret: s}, nil + } + + cipherText, err := ioutil.ReadFile(s.SopsFile) + if err != nil { + return nil, fmt.Errorf("Failed reading %s: %s", s.SopsFile, err) + } + + var keys map[string]interface{} + if s.Format == Binary { + if err := json.Unmarshal(cipherText, &keys); err != nil { + return nil, fmt.Errorf("Cannot parse json of '%s': %s", s.SopsFile, err) + } + return &secretFile{cipherText: cipherText, firstSecret: s}, nil + } + + if s.Format == Yaml { + if err := yaml.Unmarshal(cipherText, &keys); err != nil { + return nil, fmt.Errorf("Cannot parse yaml of '%s': %s", s.SopsFile, err) + } + } else if err := json.Unmarshal(cipherText, &keys); err != nil { + return nil, fmt.Errorf("Cannot parse json of '%s': %s", s.SopsFile, err) + } + + return &secretFile{ + cipherText: cipherText, + keys: keys, + firstSecret: s, + }, nil + +} + +func (app *appContext) validateSopsFile(s *secret, file *secretFile) error { + if file.firstSecret.Format != s.Format { + return fmt.Errorf("secret %s defined the format of %s as %s, but it was specified as %s in %s before", + s.Name, s.SopsFile, s.Format, + file.firstSecret.Format, file.firstSecret.Name) + } + if app.checkMode != Manifest && s.Format != Binary { + if _, ok := file.keys[s.Key]; !ok { + return fmt.Errorf("secret %s with the key %s not found in %s", s.Name, s.Key, s.SopsFile) + } + } + return nil +} + +func (app *appContext) validateSecret(secret *secret) error { mode, err := strconv.ParseUint(secret.Mode, 8, 16) if err != nil { return fmt.Errorf("Invalid number in mode: %d: %s", mode, err) @@ -247,14 +349,24 @@ func validateSecret(secret *secret) error { } if secret.Format != "yaml" && secret.Format != "json" && secret.Format != "binary" { - return fmt.Errorf("Unsupported format %s for secret %s", - secret.Format, secret.Name) + return fmt.Errorf("Unsupported format %s for secret %s", secret.Format, secret.Name) } - return nil + file, ok := app.secretFiles[secret.SopsFile] + if !ok { + maybeFile, err := app.loadSopsFile(secret) + if err != nil { + return err + } + app.secretFiles[secret.SopsFile] = *maybeFile + file = *maybeFile + } + + return app.validateSopsFile(secret, &file) } -func validateManifest(m *manifest) error { +func (app *appContext) validateManifest() error { + m := &app.manifest if m.SecretsMountPoint == "" { m.SecretsMountPoint = "/run/secrets.d" } @@ -266,7 +378,7 @@ func validateManifest(m *manifest) error { "Both options are mutual exclusive.") } for i := range m.Secrets { - if err := validateSecret(&m.Secrets[i]); err != nil { + if err := app.validateSecret(&m.Secrets[i]); err != nil { return err } } @@ -358,11 +470,6 @@ func setupGPGKeyring(sshKeys []string, parentDir string) (*keyring, error) { return &k, nil } -type options struct { - check bool - manifest string -} - func parseFlags(args []string) (*options, error) { var opts options fs := flag.NewFlagSet(args[0], flag.ContinueOnError) @@ -370,11 +477,19 @@ func parseFlags(args []string) (*options, error) { fmt.Fprintf(flag.CommandLine.Output(), "Usage: %s [OPTION] manifest.json\n", args[0]) fs.PrintDefaults() } - fs.BoolVar(&opts.check, "check", false, "Validate manifest instead installing it") + var checkMode string + fs.StringVar(&checkMode, "check-mode", "off", `Validate configuration without installing it (possible values: "manifest","sopsfile","off")`) if err := fs.Parse(args[1:]); err != nil { return nil, err } + switch CheckMode(checkMode) { + case Manifest, SopsFile, Off: + opts.checkMode = CheckMode(checkMode) + default: + return nil, fmt.Errorf("Invalid value provided for -check-mode flag: %s", opts.checkMode) + } + if fs.NArg() != 1 { flag.Usage() return nil, flag.ErrHelp @@ -394,11 +509,17 @@ func installSecrets(args []string) error { return err } - if err := validateManifest(manifest); err != nil { + app := appContext{ + manifest: *manifest, + checkMode: opts.checkMode, + secretFiles: make(map[string]secretFile), + } + + if err := app.validateManifest(); err != nil { return fmt.Errorf("Manifest is not valid: %s", err) } - if opts.check { + if app.checkMode != Off { return nil } diff --git a/pkgs/sops-install-secrets/main_test.go b/pkgs/sops-install-secrets/main_test.go index fedee8a..895b3e4 100644 --- a/pkgs/sops-install-secrets/main_test.go +++ b/pkgs/sops-install-secrets/main_test.go @@ -213,3 +213,34 @@ func TestAll(t *testing.T) { testGPG(t) testSSHKey(t) } + +func TestValidateManifest(t *testing.T) { + assets := testAssetPath() + + testdir := newTestDir(t) + defer testdir.Remove() + + s := secret{ + Name: "test", + Key: "test_key", + Owner: "nobody", + Group: "nogroup", + SopsFile: path.Join(assets, "secrets.yaml"), + Path: path.Join(testdir.path, "test-target"), + Mode: "0400", + RestartServices: []string{}, + ReloadServices: make([]string, 0), + } + + m := manifest{ + Secrets: []secret{s}, + SecretsMountPoint: testdir.secretsPath, + SymlinkPath: testdir.symlinkPath, + SSHKeyPaths: []string{"non-existing-key"}, + } + + path := writeManifest(t, testdir.path, &m) + + ok(t, installSecrets([]string{"sops-install-secrets", "-check-mode=manifest", path})) + ok(t, installSecrets([]string{"sops-install-secrets", "-check-mode=sopsfile", path})) +}