sneak
20690ba652
- currentvault now contains just the vault name (e.g., "default") - current-unlocker now contains just the unlocker name (e.g., "passphrase") - current version file now contains just the version (e.g., "20231215.001") - Resolution functions prepend the appropriate directory prefix
395 lines
13 KiB
Go
395 lines
13 KiB
Go
package vault
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"log/slog"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"filippo.io/age"
|
|
"git.eeqj.de/sneak/secret/internal/secret"
|
|
"github.com/awnumar/memguard"
|
|
"github.com/spf13/afero"
|
|
)
|
|
|
|
// GetCurrentUnlocker returns the current unlocker for this vault
|
|
func (v *Vault) GetCurrentUnlocker() (secret.Unlocker, error) {
|
|
secret.DebugWith("Getting current unlocker", slog.String("vault_name", v.Name))
|
|
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
secret.Debug("Failed to get vault directory for unlocker", "error", err, "vault_name", v.Name)
|
|
|
|
return nil, err
|
|
}
|
|
|
|
currentUnlockerPath := filepath.Join(vaultDir, "current-unlocker")
|
|
|
|
// Check if the symlink exists
|
|
_, err = v.fs.Stat(currentUnlockerPath)
|
|
if err != nil {
|
|
secret.Debug("Failed to stat current unlocker symlink", "error", err, "path", currentUnlockerPath)
|
|
|
|
return nil, fmt.Errorf("failed to read current unlocker: %w", err)
|
|
}
|
|
|
|
// Resolve the symlink to get the target directory
|
|
unlockerDir, err := v.resolveUnlockerDirectory(currentUnlockerPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
secret.DebugWith("Resolved unlocker directory",
|
|
slog.String("unlocker_dir", unlockerDir),
|
|
slog.String("vault_name", v.Name),
|
|
)
|
|
|
|
// Read unlocker metadata
|
|
metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
|
|
secret.Debug("Reading unlocker metadata", "path", metadataPath)
|
|
|
|
metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
|
|
if err != nil {
|
|
secret.Debug("Failed to read unlocker metadata", "error", err, "path", metadataPath)
|
|
|
|
return nil, fmt.Errorf("failed to read unlocker metadata: %w", err)
|
|
}
|
|
|
|
var metadata UnlockerMetadata
|
|
if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
|
|
secret.Debug("Failed to parse unlocker metadata", "error", err, "path", metadataPath)
|
|
|
|
return nil, fmt.Errorf("failed to parse unlocker metadata: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Parsed unlocker metadata",
|
|
slog.String("unlocker_type", metadata.Type),
|
|
slog.Time("created_at", metadata.CreatedAt),
|
|
slog.Any("flags", metadata.Flags),
|
|
)
|
|
|
|
// Create unlocker instance using direct constructors with filesystem
|
|
var unlocker secret.Unlocker
|
|
// Use metadata directly as it's already the correct type
|
|
switch metadata.Type {
|
|
case "passphrase":
|
|
secret.Debug("Creating passphrase unlocker instance", "unlocker_type", metadata.Type)
|
|
unlocker = secret.NewPassphraseUnlocker(v.fs, unlockerDir, metadata)
|
|
case "pgp":
|
|
secret.Debug("Creating PGP unlocker instance", "unlocker_type", metadata.Type)
|
|
unlocker = secret.NewPGPUnlocker(v.fs, unlockerDir, metadata)
|
|
case "keychain":
|
|
secret.Debug("Creating keychain unlocker instance", "unlocker_type", metadata.Type)
|
|
unlocker = secret.NewKeychainUnlocker(v.fs, unlockerDir, metadata)
|
|
default:
|
|
secret.Debug("Unsupported unlocker type", "type", metadata.Type)
|
|
|
|
return nil, fmt.Errorf("unsupported unlocker type: %s", metadata.Type)
|
|
}
|
|
|
|
secret.DebugWith("Successfully created unlocker instance",
|
|
slog.String("unlocker_type", unlocker.GetType()),
|
|
slog.String("unlocker_id", unlocker.GetID()),
|
|
slog.String("vault_name", v.Name),
|
|
)
|
|
|
|
return unlocker, nil
|
|
}
|
|
|
|
// resolveUnlockerDirectory reads the current-unlocker file to get the unlocker directory path
|
|
// The file contains just the unlocker name (e.g., "passphrase")
|
|
func (v *Vault) resolveUnlockerDirectory(currentUnlockerPath string) (string, error) {
|
|
secret.Debug("Reading current-unlocker file", "path", currentUnlockerPath)
|
|
|
|
unlockerNameBytes, err := afero.ReadFile(v.fs, currentUnlockerPath)
|
|
if err != nil {
|
|
secret.Debug("Failed to read current-unlocker file", "error", err, "path", currentUnlockerPath)
|
|
|
|
return "", fmt.Errorf("failed to read current unlocker: %w", err)
|
|
}
|
|
|
|
unlockerName := strings.TrimSpace(string(unlockerNameBytes))
|
|
secret.Debug("Read unlocker name from file", "unlocker_name", unlockerName)
|
|
|
|
// Resolve to absolute path: vaultDir/unlockers.d/unlockerName
|
|
vaultDir := filepath.Dir(currentUnlockerPath)
|
|
absolutePath := filepath.Join(vaultDir, "unlockers.d", unlockerName)
|
|
|
|
secret.Debug("Resolved to absolute path", "absolute_path", absolutePath)
|
|
|
|
return absolutePath, nil
|
|
}
|
|
|
|
// findUnlockerByID finds an unlocker by its ID and returns the unlocker instance and its directory path
|
|
func (v *Vault) findUnlockerByID(unlockersDir, unlockerID string) (secret.Unlocker, string, error) {
|
|
files, err := afero.ReadDir(v.fs, unlockersDir)
|
|
if err != nil {
|
|
return nil, "", fmt.Errorf("failed to read unlockers directory: %w", err)
|
|
}
|
|
|
|
for _, file := range files {
|
|
if !file.IsDir() {
|
|
continue
|
|
}
|
|
|
|
// Read metadata file
|
|
metadataPath := filepath.Join(unlockersDir, file.Name(), "unlocker-metadata.json")
|
|
exists, err := afero.Exists(v.fs, metadataPath)
|
|
if err != nil {
|
|
return nil, "", fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
|
|
}
|
|
if !exists {
|
|
// Skip directories without metadata - they might not be unlockers
|
|
continue
|
|
}
|
|
|
|
metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
|
|
if err != nil {
|
|
return nil, "", fmt.Errorf("failed to read metadata for unlocker %s: %w", file.Name(), err)
|
|
}
|
|
|
|
var metadata UnlockerMetadata
|
|
if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
|
|
return nil, "", fmt.Errorf("failed to parse metadata for unlocker %s: %w", file.Name(), err)
|
|
}
|
|
|
|
unlockerDirPath := filepath.Join(unlockersDir, file.Name())
|
|
|
|
// Create the appropriate unlocker instance
|
|
var tempUnlocker secret.Unlocker
|
|
switch metadata.Type {
|
|
case "passphrase":
|
|
tempUnlocker = secret.NewPassphraseUnlocker(v.fs, unlockerDirPath, metadata)
|
|
case "pgp":
|
|
tempUnlocker = secret.NewPGPUnlocker(v.fs, unlockerDirPath, metadata)
|
|
case "keychain":
|
|
tempUnlocker = secret.NewKeychainUnlocker(v.fs, unlockerDirPath, metadata)
|
|
default:
|
|
continue
|
|
}
|
|
|
|
// Check if this unlocker's ID matches
|
|
if tempUnlocker.GetID() == unlockerID {
|
|
return tempUnlocker, unlockerDirPath, nil
|
|
}
|
|
}
|
|
|
|
return nil, "", nil
|
|
}
|
|
|
|
// ListUnlockers returns a list of available unlockers for this vault
|
|
func (v *Vault) ListUnlockers() ([]UnlockerMetadata, error) {
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
unlockersDir := filepath.Join(vaultDir, "unlockers.d")
|
|
|
|
// Check if unlockers directory exists
|
|
exists, err := afero.DirExists(v.fs, unlockersDir)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to check if unlockers directory exists: %w", err)
|
|
}
|
|
if !exists {
|
|
return []UnlockerMetadata{}, nil
|
|
}
|
|
|
|
// List directories in unlockers.d
|
|
files, err := afero.ReadDir(v.fs, unlockersDir)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read unlockers directory: %w", err)
|
|
}
|
|
|
|
var unlockers []UnlockerMetadata
|
|
for _, file := range files {
|
|
if file.IsDir() {
|
|
// Read metadata file
|
|
metadataPath := filepath.Join(unlockersDir, file.Name(), "unlocker-metadata.json")
|
|
exists, err := afero.Exists(v.fs, metadataPath)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
|
|
}
|
|
if !exists {
|
|
return nil, fmt.Errorf("unlocker directory %s is missing metadata file", file.Name())
|
|
}
|
|
|
|
metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read metadata for unlocker %s: %w", file.Name(), err)
|
|
}
|
|
|
|
var metadata UnlockerMetadata
|
|
if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
|
|
return nil, fmt.Errorf("failed to parse metadata for unlocker %s: %w", file.Name(), err)
|
|
}
|
|
|
|
unlockers = append(unlockers, metadata)
|
|
}
|
|
}
|
|
|
|
return unlockers, nil
|
|
}
|
|
|
|
// RemoveUnlocker removes an unlocker from this vault
|
|
func (v *Vault) RemoveUnlocker(unlockerID string) error {
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Find the unlocker directory and create the unlocker instance
|
|
unlockersDir := filepath.Join(vaultDir, "unlockers.d")
|
|
|
|
// Find the unlocker by ID
|
|
unlocker, _, err := v.findUnlockerByID(unlockersDir, unlockerID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if unlocker == nil {
|
|
return fmt.Errorf("unlocker with ID %s not found", unlockerID)
|
|
}
|
|
|
|
// Use the unlocker's Remove method
|
|
return unlocker.Remove()
|
|
}
|
|
|
|
// SelectUnlocker selects an unlocker as current for this vault
|
|
func (v *Vault) SelectUnlocker(unlockerID string) error {
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Find the unlocker directory by ID
|
|
unlockersDir := filepath.Join(vaultDir, "unlockers.d")
|
|
|
|
// Find the unlocker by ID
|
|
_, targetUnlockerDir, err := v.findUnlockerByID(unlockersDir, unlockerID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if targetUnlockerDir == "" {
|
|
return fmt.Errorf("unlocker with ID %s not found", unlockerID)
|
|
}
|
|
|
|
// Create/update current-unlocker file with just the unlocker name
|
|
currentUnlockerPath := filepath.Join(vaultDir, "current-unlocker")
|
|
|
|
// Remove existing file if it exists
|
|
if exists, err := afero.Exists(v.fs, currentUnlockerPath); err != nil {
|
|
return fmt.Errorf("failed to check if current-unlocker file exists: %w", err)
|
|
} else if exists {
|
|
if err := v.fs.Remove(currentUnlockerPath); err != nil {
|
|
return fmt.Errorf("failed to remove existing current-unlocker file: %w", err)
|
|
}
|
|
}
|
|
|
|
// Get just the unlocker name (basename of the directory)
|
|
unlockerName := filepath.Base(targetUnlockerDir)
|
|
|
|
// Write just the unlocker name to the file
|
|
secret.Debug("Writing current-unlocker file", "unlocker_name", unlockerName)
|
|
if err := afero.WriteFile(v.fs, currentUnlockerPath, []byte(unlockerName), secret.FilePerms); err != nil {
|
|
return fmt.Errorf("failed to create current-unlocker file: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CreatePassphraseUnlocker creates a new passphrase-protected unlocker
|
|
// The passphrase must be provided as a LockedBuffer for security
|
|
func (v *Vault) CreatePassphraseUnlocker(passphrase *memguard.LockedBuffer) (*secret.PassphraseUnlocker, error) {
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get vault directory: %w", err)
|
|
}
|
|
|
|
// Create unlocker directory
|
|
unlockerDir := filepath.Join(vaultDir, "unlockers.d", "passphrase")
|
|
if err := v.fs.MkdirAll(unlockerDir, secret.DirPerms); err != nil {
|
|
return nil, fmt.Errorf("failed to create unlocker directory: %w", err)
|
|
}
|
|
|
|
// Generate new age keypair for unlocker
|
|
unlockerIdentity, err := age.GenerateX25519Identity()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to generate unlocker: %w", err)
|
|
}
|
|
|
|
// Write public key
|
|
pubKeyPath := filepath.Join(unlockerDir, "pub.age")
|
|
if err := afero.WriteFile(v.fs, pubKeyPath,
|
|
[]byte(unlockerIdentity.Recipient().String()),
|
|
secret.FilePerms); err != nil {
|
|
return nil, fmt.Errorf("failed to write unlocker public key: %w", err)
|
|
}
|
|
|
|
// Encrypt private key with passphrase
|
|
privKeyStr := unlockerIdentity.String()
|
|
privKeyBuffer := memguard.NewBufferFromBytes([]byte(privKeyStr))
|
|
defer privKeyBuffer.Destroy()
|
|
encryptedPrivKey, err := secret.EncryptWithPassphrase(privKeyBuffer, passphrase)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to encrypt unlocker private key: %w", err)
|
|
}
|
|
|
|
// Write encrypted private key
|
|
privKeyPath := filepath.Join(unlockerDir, "priv.age")
|
|
if err := afero.WriteFile(v.fs, privKeyPath, encryptedPrivKey, secret.FilePerms); err != nil {
|
|
return nil, fmt.Errorf("failed to write encrypted unlocker private key: %w", err)
|
|
}
|
|
|
|
// Create metadata
|
|
metadata := UnlockerMetadata{
|
|
Type: "passphrase",
|
|
CreatedAt: time.Now(),
|
|
Flags: []string{},
|
|
}
|
|
|
|
// Write metadata
|
|
metadataBytes, err := json.MarshalIndent(metadata, "", " ")
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to marshal metadata: %w", err)
|
|
}
|
|
|
|
metadataPath := filepath.Join(unlockerDir, "unlocker-metadata.json")
|
|
if err := afero.WriteFile(v.fs, metadataPath, metadataBytes, secret.FilePerms); err != nil {
|
|
return nil, fmt.Errorf("failed to write unlocker metadata: %w", err)
|
|
}
|
|
|
|
// Encrypt long-term private key to this unlocker
|
|
// We need to get the long-term key (either from memory if unlocked, or derive it)
|
|
ltIdentity, err := v.GetOrDeriveLongTermKey()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get long-term key: %w", err)
|
|
}
|
|
|
|
ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
|
|
defer ltPrivKeyBuffer.Destroy()
|
|
|
|
encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerIdentity.Recipient())
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to encrypt long-term private key: %w", err)
|
|
}
|
|
|
|
ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
|
|
if err := afero.WriteFile(v.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
|
|
return nil, fmt.Errorf("failed to write encrypted long-term private key: %w", err)
|
|
}
|
|
|
|
// Create the unlocker instance
|
|
unlocker := secret.NewPassphraseUnlocker(v.fs, unlockerDir, metadata)
|
|
|
|
// Select this unlocker as current
|
|
if err := v.SelectUnlocker(unlocker.GetID()); err != nil {
|
|
return nil, fmt.Errorf("failed to select new unlocker: %w", err)
|
|
}
|
|
|
|
return unlocker, nil
|
|
}
|