448 lines
16 KiB
Go
448 lines
16 KiB
Go
package vault
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"log/slog"
|
|
"path/filepath"
|
|
"regexp"
|
|
"strings"
|
|
"time"
|
|
|
|
"filippo.io/age"
|
|
"git.eeqj.de/sneak/secret/internal/secret"
|
|
"github.com/spf13/afero"
|
|
)
|
|
|
|
// ListSecrets returns a list of secret names in this vault
|
|
func (v *Vault) ListSecrets() ([]string, error) {
|
|
secret.DebugWith("Listing secrets in vault", slog.String("vault_name", v.Name))
|
|
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
secret.Debug("Failed to get vault directory for secret listing", "error", err, "vault_name", v.Name)
|
|
return nil, err
|
|
}
|
|
|
|
secretsDir := filepath.Join(vaultDir, "secrets.d")
|
|
|
|
// Check if secrets directory exists
|
|
exists, err := afero.DirExists(v.fs, secretsDir)
|
|
if err != nil {
|
|
secret.Debug("Failed to check secrets directory", "error", err, "secrets_dir", secretsDir)
|
|
return nil, fmt.Errorf("failed to check if secrets directory exists: %w", err)
|
|
}
|
|
if !exists {
|
|
secret.Debug("Secrets directory does not exist", "secrets_dir", secretsDir, "vault_name", v.Name)
|
|
return []string{}, nil
|
|
}
|
|
|
|
// List directories in secrets.d
|
|
files, err := afero.ReadDir(v.fs, secretsDir)
|
|
if err != nil {
|
|
secret.Debug("Failed to read secrets directory", "error", err, "secrets_dir", secretsDir)
|
|
return nil, fmt.Errorf("failed to read secrets directory: %w", err)
|
|
}
|
|
|
|
var secrets []string
|
|
for _, file := range files {
|
|
if file.IsDir() {
|
|
// Convert storage name back to secret name
|
|
secretName := strings.ReplaceAll(file.Name(), "%", "/")
|
|
secrets = append(secrets, secretName)
|
|
}
|
|
}
|
|
|
|
secret.DebugWith("Found secrets in vault",
|
|
slog.String("vault_name", v.Name),
|
|
slog.Int("secret_count", len(secrets)),
|
|
slog.Any("secret_names", secrets),
|
|
)
|
|
|
|
return secrets, nil
|
|
}
|
|
|
|
// isValidSecretName validates secret names according to the format [a-z0-9\.\-\_\/]+
|
|
func isValidSecretName(name string) bool {
|
|
if name == "" {
|
|
return false
|
|
}
|
|
matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name)
|
|
return matched
|
|
}
|
|
|
|
// AddSecret adds a secret to this vault
|
|
func (v *Vault) AddSecret(name string, value []byte, force bool) error {
|
|
secret.DebugWith("Adding secret to vault",
|
|
slog.String("vault_name", v.Name),
|
|
slog.String("secret_name", name),
|
|
slog.Int("value_length", len(value)),
|
|
slog.Bool("force", force),
|
|
)
|
|
|
|
// Validate secret name
|
|
if !isValidSecretName(name) {
|
|
secret.Debug("Invalid secret name provided", "secret_name", name)
|
|
return fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name)
|
|
}
|
|
secret.Debug("Secret name validation passed", "secret_name", name)
|
|
|
|
secret.Debug("Getting vault directory")
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
secret.Debug("Failed to get vault directory for secret addition", "error", err, "vault_name", v.Name)
|
|
return err
|
|
}
|
|
secret.Debug("Got vault directory", "vault_dir", vaultDir)
|
|
|
|
// Convert slashes to percent signs for storage
|
|
storageName := strings.ReplaceAll(name, "/", "%")
|
|
secretDir := filepath.Join(vaultDir, "secrets.d", storageName)
|
|
|
|
secret.DebugWith("Secret storage details",
|
|
slog.String("storage_name", storageName),
|
|
slog.String("secret_dir", secretDir),
|
|
)
|
|
|
|
// Check if secret already exists
|
|
secret.Debug("Checking if secret already exists", "secret_dir", secretDir)
|
|
exists, err := afero.DirExists(v.fs, secretDir)
|
|
if err != nil {
|
|
secret.Debug("Failed to check if secret exists", "error", err, "secret_dir", secretDir)
|
|
return fmt.Errorf("failed to check if secret exists: %w", err)
|
|
}
|
|
secret.Debug("Secret existence check complete", "exists", exists)
|
|
|
|
if exists && !force {
|
|
secret.Debug("Secret already exists and force not specified", "secret_name", name, "secret_dir", secretDir)
|
|
return fmt.Errorf("secret %s already exists (use --force to overwrite)", name)
|
|
}
|
|
|
|
// Create secret directory
|
|
secret.Debug("Creating secret directory", "secret_dir", secretDir)
|
|
if err := v.fs.MkdirAll(secretDir, 0700); err != nil {
|
|
secret.Debug("Failed to create secret directory", "error", err, "secret_dir", secretDir)
|
|
return fmt.Errorf("failed to create secret directory: %w", err)
|
|
}
|
|
secret.Debug("Created secret directory successfully")
|
|
|
|
// Step 1: Generate a new keypair for this secret
|
|
secret.Debug("Generating secret-specific keypair", "secret_name", name)
|
|
secretIdentity, err := age.GenerateX25519Identity()
|
|
if err != nil {
|
|
secret.Debug("Failed to generate secret keypair", "error", err, "secret_name", name)
|
|
return fmt.Errorf("failed to generate secret keypair: %w", err)
|
|
}
|
|
|
|
secretPublicKey := secretIdentity.Recipient().String()
|
|
secretPrivateKey := secretIdentity.String()
|
|
|
|
secret.DebugWith("Generated secret keypair",
|
|
slog.String("secret_name", name),
|
|
slog.String("public_key", secretPublicKey),
|
|
)
|
|
|
|
// Step 2: Store the secret's public key
|
|
pubKeyPath := filepath.Join(secretDir, "pub.age")
|
|
secret.Debug("Writing secret public key", "path", pubKeyPath)
|
|
if err := afero.WriteFile(v.fs, pubKeyPath, []byte(secretPublicKey), 0600); err != nil {
|
|
secret.Debug("Failed to write secret public key", "error", err, "path", pubKeyPath)
|
|
return fmt.Errorf("failed to write secret public key: %w", err)
|
|
}
|
|
secret.Debug("Wrote secret public key successfully")
|
|
|
|
// Step 3: Encrypt the secret value to the secret's public key
|
|
secret.Debug("Encrypting secret value to secret's public key", "secret_name", name)
|
|
encryptedValue, err := secret.EncryptToRecipient(value, secretIdentity.Recipient())
|
|
if err != nil {
|
|
secret.Debug("Failed to encrypt secret value", "error", err, "secret_name", name)
|
|
return fmt.Errorf("failed to encrypt secret value: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Secret value encrypted",
|
|
slog.String("secret_name", name),
|
|
slog.Int("encrypted_length", len(encryptedValue)),
|
|
)
|
|
|
|
// Step 4: Store the encrypted secret value as value.age
|
|
valuePath := filepath.Join(secretDir, "value.age")
|
|
secret.Debug("Writing encrypted secret value", "path", valuePath)
|
|
if err := afero.WriteFile(v.fs, valuePath, encryptedValue, 0600); err != nil {
|
|
secret.Debug("Failed to write encrypted secret value", "error", err, "path", valuePath)
|
|
return fmt.Errorf("failed to write encrypted secret value: %w", err)
|
|
}
|
|
secret.Debug("Wrote encrypted secret value successfully")
|
|
|
|
// Step 5: Get long-term public key for encrypting the secret's private key
|
|
ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
|
|
secret.Debug("Reading long-term public key", "path", ltPubKeyPath)
|
|
|
|
ltPubKeyData, err := afero.ReadFile(v.fs, ltPubKeyPath)
|
|
if err != nil {
|
|
secret.Debug("Failed to read long-term public key", "error", err, "path", ltPubKeyPath)
|
|
return fmt.Errorf("failed to read long-term public key: %w", err)
|
|
}
|
|
secret.Debug("Read long-term public key successfully", "key_length", len(ltPubKeyData))
|
|
|
|
secret.Debug("Parsing long-term public key")
|
|
ltRecipient, err := age.ParseX25519Recipient(string(ltPubKeyData))
|
|
if err != nil {
|
|
secret.Debug("Failed to parse long-term public key", "error", err)
|
|
return fmt.Errorf("failed to parse long-term public key: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Parsed long-term public key", slog.String("recipient", ltRecipient.String()))
|
|
|
|
// Step 6: Encrypt the secret's private key to the long-term public key
|
|
secret.Debug("Encrypting secret private key to long-term public key", "secret_name", name)
|
|
encryptedPrivKey, err := secret.EncryptToRecipient([]byte(secretPrivateKey), ltRecipient)
|
|
if err != nil {
|
|
secret.Debug("Failed to encrypt secret private key", "error", err, "secret_name", name)
|
|
return fmt.Errorf("failed to encrypt secret private key: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Secret private key encrypted",
|
|
slog.String("secret_name", name),
|
|
slog.Int("encrypted_length", len(encryptedPrivKey)),
|
|
)
|
|
|
|
// Step 7: Store the encrypted secret private key as priv.age
|
|
privKeyPath := filepath.Join(secretDir, "priv.age")
|
|
secret.Debug("Writing encrypted secret private key", "path", privKeyPath)
|
|
if err := afero.WriteFile(v.fs, privKeyPath, encryptedPrivKey, 0600); err != nil {
|
|
secret.Debug("Failed to write encrypted secret private key", "error", err, "path", privKeyPath)
|
|
return fmt.Errorf("failed to write encrypted secret private key: %w", err)
|
|
}
|
|
secret.Debug("Wrote encrypted secret private key successfully")
|
|
|
|
// Step 8: Create and write metadata
|
|
secret.Debug("Creating secret metadata")
|
|
now := time.Now()
|
|
metadata := SecretMetadata{
|
|
Name: name,
|
|
CreatedAt: now,
|
|
UpdatedAt: now,
|
|
}
|
|
|
|
secret.DebugWith("Creating secret metadata",
|
|
slog.String("secret_name", metadata.Name),
|
|
slog.Time("created_at", metadata.CreatedAt),
|
|
slog.Time("updated_at", metadata.UpdatedAt),
|
|
)
|
|
|
|
secret.Debug("Marshaling secret metadata")
|
|
metadataBytes, err := json.MarshalIndent(metadata, "", " ")
|
|
if err != nil {
|
|
secret.Debug("Failed to marshal secret metadata", "error", err)
|
|
return fmt.Errorf("failed to marshal secret metadata: %w", err)
|
|
}
|
|
secret.Debug("Marshaled secret metadata successfully")
|
|
|
|
metadataPath := filepath.Join(secretDir, "secret-metadata.json")
|
|
secret.Debug("Writing secret metadata", "path", metadataPath)
|
|
if err := afero.WriteFile(v.fs, metadataPath, metadataBytes, 0600); err != nil {
|
|
secret.Debug("Failed to write secret metadata", "error", err, "path", metadataPath)
|
|
return fmt.Errorf("failed to write secret metadata: %w", err)
|
|
}
|
|
secret.Debug("Wrote secret metadata successfully")
|
|
|
|
secret.Debug("Successfully added secret to vault with per-secret key architecture", "secret_name", name, "vault_name", v.Name)
|
|
return nil
|
|
}
|
|
|
|
// GetSecret retrieves a secret from this vault
|
|
func (v *Vault) GetSecret(name string) ([]byte, error) {
|
|
secret.DebugWith("Getting secret from vault",
|
|
slog.String("vault_name", v.Name),
|
|
slog.String("secret_name", name),
|
|
)
|
|
|
|
// Create a secret object to handle file access
|
|
secretObj := secret.NewSecret(v, name)
|
|
|
|
// Check if secret exists
|
|
exists, err := secretObj.Exists()
|
|
if err != nil {
|
|
secret.Debug("Failed to check if secret exists", "error", err, "secret_name", name)
|
|
return nil, fmt.Errorf("failed to check if secret exists: %w", err)
|
|
}
|
|
if !exists {
|
|
secret.Debug("Secret not found in vault", "secret_name", name, "vault_name", v.Name)
|
|
return nil, fmt.Errorf("secret %s not found", name)
|
|
}
|
|
|
|
secret.Debug("Secret exists, proceeding with vault unlock and decryption", "secret_name", name)
|
|
|
|
// Step 1: Unlock the vault (get long-term key in memory)
|
|
longTermIdentity, err := v.UnlockVault()
|
|
if err != nil {
|
|
secret.Debug("Failed to unlock vault", "error", err, "vault_name", v.Name)
|
|
return nil, fmt.Errorf("failed to unlock vault: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Successfully unlocked vault",
|
|
slog.String("vault_name", v.Name),
|
|
slog.String("secret_name", name),
|
|
slog.String("long_term_public_key", longTermIdentity.Recipient().String()),
|
|
)
|
|
|
|
// Step 2: Use the unlocked vault to decrypt the secret
|
|
decryptedValue, err := v.decryptSecretWithLongTermKey(name, longTermIdentity)
|
|
if err != nil {
|
|
secret.Debug("Failed to decrypt secret with long-term key", "error", err, "secret_name", name)
|
|
return nil, fmt.Errorf("failed to decrypt secret: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Successfully decrypted secret with per-secret key architecture",
|
|
slog.String("secret_name", name),
|
|
slog.String("vault_name", v.Name),
|
|
slog.Int("decrypted_length", len(decryptedValue)),
|
|
)
|
|
|
|
return decryptedValue, nil
|
|
}
|
|
|
|
// UnlockVault unlocks the vault and returns the long-term private key
|
|
func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
|
|
secret.Debug("Unlocking vault", "vault_name", v.Name)
|
|
|
|
// If vault is already unlocked, return the cached key
|
|
if !v.Locked() {
|
|
secret.Debug("Vault already unlocked, returning cached long-term key", "vault_name", v.Name)
|
|
return v.longTermKey, nil
|
|
}
|
|
|
|
// Get or derive the long-term key (but don't store it yet)
|
|
longTermIdentity, err := v.GetOrDeriveLongTermKey()
|
|
if err != nil {
|
|
secret.Debug("Failed to get or derive long-term key", "error", err, "vault_name", v.Name)
|
|
return nil, fmt.Errorf("failed to get long-term key: %w", err)
|
|
}
|
|
|
|
// Now unlock the vault by storing the key in memory
|
|
v.Unlock(longTermIdentity)
|
|
|
|
secret.DebugWith("Successfully unlocked vault",
|
|
slog.String("vault_name", v.Name),
|
|
slog.String("public_key", longTermIdentity.Recipient().String()),
|
|
)
|
|
|
|
return longTermIdentity, nil
|
|
}
|
|
|
|
// decryptSecretWithLongTermKey decrypts a secret using the provided long-term key
|
|
func (v *Vault) decryptSecretWithLongTermKey(name string, longTermIdentity *age.X25519Identity) ([]byte, error) {
|
|
secret.DebugWith("Decrypting secret with long-term key",
|
|
slog.String("secret_name", name),
|
|
slog.String("vault_name", v.Name),
|
|
)
|
|
|
|
// Get vault and secret directories
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
secret.Debug("Failed to get vault directory", "error", err, "vault_name", v.Name)
|
|
return nil, err
|
|
}
|
|
|
|
storageName := strings.ReplaceAll(name, "/", "%")
|
|
secretDir := filepath.Join(vaultDir, "secrets.d", storageName)
|
|
|
|
// Step 1: Read the encrypted secret private key from priv.age
|
|
encryptedSecretPrivKeyPath := filepath.Join(secretDir, "priv.age")
|
|
secret.Debug("Reading encrypted secret private key", "path", encryptedSecretPrivKeyPath)
|
|
|
|
encryptedSecretPrivKey, err := afero.ReadFile(v.fs, encryptedSecretPrivKeyPath)
|
|
if err != nil {
|
|
secret.Debug("Failed to read encrypted secret private key", "error", err, "path", encryptedSecretPrivKeyPath)
|
|
return nil, fmt.Errorf("failed to read encrypted secret private key: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Read encrypted secret private key",
|
|
slog.String("secret_name", name),
|
|
slog.Int("encrypted_length", len(encryptedSecretPrivKey)),
|
|
)
|
|
|
|
// Step 2: Decrypt the secret's private key using the long-term private key
|
|
secret.Debug("Decrypting secret private key with long-term key", "secret_name", name)
|
|
secretPrivKeyData, err := secret.DecryptWithIdentity(encryptedSecretPrivKey, longTermIdentity)
|
|
if err != nil {
|
|
secret.Debug("Failed to decrypt secret private key", "error", err, "secret_name", name)
|
|
return nil, fmt.Errorf("failed to decrypt secret private key: %w", err)
|
|
}
|
|
|
|
// Step 3: Parse the secret's private key
|
|
secret.Debug("Parsing secret private key", "secret_name", name)
|
|
secretIdentity, err := age.ParseX25519Identity(string(secretPrivKeyData))
|
|
if err != nil {
|
|
secret.Debug("Failed to parse secret private key", "error", err, "secret_name", name)
|
|
return nil, fmt.Errorf("failed to parse secret private key: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Successfully parsed secret identity",
|
|
slog.String("secret_name", name),
|
|
slog.String("public_key", secretIdentity.Recipient().String()),
|
|
)
|
|
|
|
// Step 4: Read the encrypted secret value from value.age
|
|
encryptedValuePath := filepath.Join(secretDir, "value.age")
|
|
secret.Debug("Reading encrypted secret value", "path", encryptedValuePath)
|
|
|
|
encryptedValue, err := afero.ReadFile(v.fs, encryptedValuePath)
|
|
if err != nil {
|
|
secret.Debug("Failed to read encrypted secret value", "error", err, "path", encryptedValuePath)
|
|
return nil, fmt.Errorf("failed to read encrypted secret value: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Read encrypted secret value",
|
|
slog.String("secret_name", name),
|
|
slog.Int("encrypted_length", len(encryptedValue)),
|
|
)
|
|
|
|
// Step 5: Decrypt the secret value using the secret's private key
|
|
secret.Debug("Decrypting secret value with secret's private key", "secret_name", name)
|
|
decryptedValue, err := secret.DecryptWithIdentity(encryptedValue, secretIdentity)
|
|
if err != nil {
|
|
secret.Debug("Failed to decrypt secret value", "error", err, "secret_name", name)
|
|
return nil, fmt.Errorf("failed to decrypt secret value: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Successfully decrypted secret value",
|
|
slog.String("secret_name", name),
|
|
slog.Int("decrypted_length", len(decryptedValue)),
|
|
)
|
|
|
|
return decryptedValue, nil
|
|
}
|
|
|
|
// GetSecretObject retrieves a Secret object with metadata loaded from this vault
|
|
func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) {
|
|
// First check if the secret exists by checking for the metadata file
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Convert slashes to percent signs for storage
|
|
storageName := strings.ReplaceAll(name, "/", "%")
|
|
secretDir := filepath.Join(vaultDir, "secrets.d", storageName)
|
|
|
|
// Check if secret directory exists
|
|
exists, err := afero.DirExists(v.fs, secretDir)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to check if secret exists: %w", err)
|
|
}
|
|
if !exists {
|
|
return nil, fmt.Errorf("secret %s not found", name)
|
|
}
|
|
|
|
// Create a Secret object
|
|
secretObj := secret.NewSecret(v, name)
|
|
|
|
// Load the metadata from disk
|
|
if err := secretObj.LoadMetadata(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return secretObj, nil
|
|
}
|