state encryption support
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
This commit is contained in:
parent
12436c20bc
commit
f0156f449f
123
dagger/keychain/encrypt.go
Normal file
123
dagger/keychain/encrypt.go
Normal file
@ -0,0 +1,123 @@
|
||||
package keychain
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"go.mozilla.org/sops/v3"
|
||||
"go.mozilla.org/sops/v3/aes"
|
||||
sopsage "go.mozilla.org/sops/v3/age"
|
||||
"go.mozilla.org/sops/v3/cmd/sops/common"
|
||||
"go.mozilla.org/sops/v3/cmd/sops/formats"
|
||||
sopsdecrypt "go.mozilla.org/sops/v3/decrypt"
|
||||
sopskeys "go.mozilla.org/sops/v3/keys"
|
||||
sopsyaml "go.mozilla.org/sops/v3/stores/yaml"
|
||||
"go.mozilla.org/sops/v3/version"
|
||||
)
|
||||
|
||||
// setupEnv: hack to inject a SOPS env var for age
|
||||
func setupEnv() error {
|
||||
p, err := Path()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return os.Setenv("SOPS_AGE_KEY_FILE", p)
|
||||
}
|
||||
|
||||
// Encrypt data using SOPS with the AGE backend, using the provided public key
|
||||
func Encrypt(ctx context.Context, path string, plaintext []byte, key string) ([]byte, error) {
|
||||
if err := setupEnv(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
store := &sopsyaml.Store{}
|
||||
branches, err := store.LoadPlainFile(plaintext)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
ageKeys, err := sopsage.MasterKeysFromRecipients(key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ageMasterKeys := make([]sopskeys.MasterKey, 0, len(ageKeys))
|
||||
for _, k := range ageKeys {
|
||||
ageMasterKeys = append(ageMasterKeys, k)
|
||||
}
|
||||
var group sops.KeyGroup
|
||||
group = append(group, ageMasterKeys...)
|
||||
|
||||
tree := sops.Tree{
|
||||
Branches: branches,
|
||||
Metadata: sops.Metadata{
|
||||
KeyGroups: []sops.KeyGroup{group},
|
||||
EncryptedSuffix: "secret",
|
||||
Version: version.Version,
|
||||
},
|
||||
FilePath: path,
|
||||
}
|
||||
|
||||
// Generate a data key
|
||||
dataKey, errs := tree.GenerateDataKey()
|
||||
if len(errs) > 0 {
|
||||
return nil, fmt.Errorf("error encrypting the data key with one or more master keys: %v", errs)
|
||||
}
|
||||
|
||||
err = common.EncryptTree(common.EncryptTreeOpts{
|
||||
DataKey: dataKey, Tree: &tree, Cipher: aes.NewCipher(),
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return store.EmitEncryptedFile(tree)
|
||||
}
|
||||
|
||||
// Reencrypt a file with new content using the same keys
|
||||
func Reencrypt(_ context.Context, path string, plaintext []byte) ([]byte, error) {
|
||||
if err := setupEnv(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
current, err := os.ReadFile(path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Load the encrypted file
|
||||
store := &sopsyaml.Store{}
|
||||
tree, err := store.LoadEncryptedFile(current)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Update the file with the new data
|
||||
newBranches, err := store.LoadPlainFile(plaintext)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tree.Branches = newBranches
|
||||
|
||||
// Re-encrypt the file
|
||||
key, err := tree.Metadata.GetDataKey()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
err = common.EncryptTree(common.EncryptTreeOpts{
|
||||
DataKey: key, Tree: &tree, Cipher: aes.NewCipher(),
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return store.EmitEncryptedFile(tree)
|
||||
}
|
||||
|
||||
// Decrypt data using sops
|
||||
func Decrypt(_ context.Context, encrypted []byte) ([]byte, error) {
|
||||
if err := setupEnv(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return sopsdecrypt.DataWithFormat(encrypted, formats.Yaml)
|
||||
}
|
96
dagger/keychain/keys.go
Normal file
96
dagger/keychain/keys.go
Normal file
@ -0,0 +1,96 @@
|
||||
package keychain
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/user"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"time"
|
||||
|
||||
"filippo.io/age"
|
||||
"github.com/rs/zerolog/log"
|
||||
)
|
||||
|
||||
func Path() (string, error) {
|
||||
usr, err := user.Current()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return path.Join(usr.HomeDir, ".dagger", "keys.txt"), nil
|
||||
}
|
||||
|
||||
func Default(ctx context.Context) (string, error) {
|
||||
keys, err := List(ctx)
|
||||
if err != nil {
|
||||
if errors.Is(err, os.ErrNotExist) {
|
||||
return Generate(ctx)
|
||||
}
|
||||
return "", err
|
||||
}
|
||||
if len(keys) == 0 {
|
||||
return "", errors.New("no identities found in the keys file")
|
||||
}
|
||||
|
||||
return keys[0].Recipient().String(), nil
|
||||
}
|
||||
|
||||
func Generate(ctx context.Context) (string, error) {
|
||||
keysFile, err := Path()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
k, err := age.GenerateX25519Identity()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("internal error: %v", err)
|
||||
}
|
||||
|
||||
if err := os.MkdirAll(filepath.Dir(keysFile), 0755); err != nil {
|
||||
return "", err
|
||||
}
|
||||
f, err := os.OpenFile(keysFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0600)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to open keys file %q: %v", keysFile, err)
|
||||
}
|
||||
defer f.Close()
|
||||
fmt.Fprintf(f, "# created: %s\n", time.Now().Format(time.RFC3339))
|
||||
fmt.Fprintf(f, "# public key: %s\n", k.Recipient())
|
||||
fmt.Fprintf(f, "%s\n", k)
|
||||
|
||||
pubkey := k.Recipient().String()
|
||||
|
||||
log.Ctx(ctx).Debug().Str("publicKey", pubkey).Msg("generating keypair")
|
||||
|
||||
return pubkey, nil
|
||||
}
|
||||
|
||||
func List(ctx context.Context) ([]*age.X25519Identity, error) {
|
||||
keysFile, err := Path()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
f, err := os.Open(keysFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to open keys file file %q: %w", keysFile, err)
|
||||
}
|
||||
ids, err := age.ParseIdentities(f)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to parse input: %w", err)
|
||||
}
|
||||
|
||||
keys := make([]*age.X25519Identity, 0, len(ids))
|
||||
for _, id := range ids {
|
||||
key, ok := ids[0].(*age.X25519Identity)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("internal error: unexpected identity type: %T", id)
|
||||
}
|
||||
keys = append(keys, key)
|
||||
}
|
||||
|
||||
return keys, nil
|
||||
}
|
@ -3,11 +3,13 @@ package state
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"dagger.io/go/dagger/keychain"
|
||||
"gopkg.in/yaml.v3"
|
||||
)
|
||||
|
||||
@ -26,13 +28,33 @@ const (
|
||||
|
||||
func Init(ctx context.Context, dir, name string) (*State, error) {
|
||||
root := path.Join(dir, daggerDir)
|
||||
err := os.Mkdir(root, 0755)
|
||||
if err != nil {
|
||||
if err := os.Mkdir(root, 0755); err != nil {
|
||||
if errors.Is(err, os.ErrExist) {
|
||||
return nil, ErrAlreadyInit
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
manifestPath := path.Join(dir, daggerDir, manifestFile)
|
||||
|
||||
st := &State{
|
||||
Path: dir,
|
||||
Name: name,
|
||||
}
|
||||
data, err := yaml.Marshal(st)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
key, err := keychain.Default(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
encrypted, err := keychain.Encrypt(ctx, manifestPath, data, key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if err := os.WriteFile(manifestPath, encrypted, 0600); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err = os.WriteFile(
|
||||
path.Join(root, ".gitignore"),
|
||||
@ -43,12 +65,7 @@ func Init(ctx context.Context, dir, name string) (*State, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
st := &State{
|
||||
Path: dir,
|
||||
Name: name,
|
||||
}
|
||||
|
||||
return st, Save(ctx, st)
|
||||
return st, nil
|
||||
}
|
||||
|
||||
func Current(ctx context.Context) (*State, error) {
|
||||
@ -91,6 +108,11 @@ func Open(ctx context.Context, dir string) (*State, error) {
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
data, err = keychain.Decrypt(ctx, data)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to decrypt state: %w", err)
|
||||
}
|
||||
|
||||
var st State
|
||||
if err := yaml.Unmarshal(data, &st); err != nil {
|
||||
return nil, err
|
||||
@ -111,7 +133,13 @@ func Save(ctx context.Context, st *State) error {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := os.WriteFile(path.Join(st.Path, daggerDir, manifestFile), data, 0600); err != nil {
|
||||
manifestPath := path.Join(st.Path, daggerDir, manifestFile)
|
||||
|
||||
encrypted, err := keychain.Reencrypt(ctx, manifestPath, data)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := os.WriteFile(manifestPath, encrypted, 0600); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
5
go.mod
5
go.mod
@ -3,7 +3,8 @@ module dagger.io/go
|
||||
go 1.16
|
||||
|
||||
require (
|
||||
cuelang.org/go v0.4.0-rc.1
|
||||
cuelang.org/go v0.4.0-beta.1
|
||||
filippo.io/age v1.0.0-rc.1
|
||||
github.com/HdrHistogram/hdrhistogram-go v1.1.0 // indirect
|
||||
github.com/KromDaniel/jonson v0.0.0-20180630143114-d2f9c3c389db
|
||||
github.com/containerd/console v1.0.2
|
||||
@ -17,7 +18,7 @@ require (
|
||||
github.com/morikuni/aec v1.0.0
|
||||
github.com/opencontainers/go-digest v1.0.0
|
||||
github.com/opentracing/opentracing-go v1.2.0
|
||||
github.com/rs/zerolog v1.22.0
|
||||
github.com/rs/zerolog v1.21.0
|
||||
github.com/spf13/cobra v1.1.3
|
||||
github.com/spf13/viper v1.7.1
|
||||
github.com/stretchr/testify v1.7.0
|
||||
|
13
go.sum
13
go.sum
@ -44,12 +44,13 @@ contrib.go.opencensus.io/exporter/ocagent v0.5.0/go.mod h1:ImxhfLRpxoYiSq891pBrL
|
||||
contrib.go.opencensus.io/exporter/stackdriver v0.12.1/go.mod h1:iwB6wGarfphGGe/e5CWqyUk/cLzKnWsOKPVW3no6OTw=
|
||||
contrib.go.opencensus.io/integrations/ocsql v0.1.4/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE=
|
||||
contrib.go.opencensus.io/resource v0.1.1/go.mod h1:F361eGI91LCmW1I/Saf+rX0+OFcigGlFvXwEGEnkRLA=
|
||||
cuelang.org/go v0.4.0-rc.1 h1:X8fsqVhLCvXFhsWMGbI8rjTal45YOgt+ko+m7rOCySM=
|
||||
cuelang.org/go v0.4.0-rc.1/go.mod h1:tz/edkPi+T37AZcb5GlPY+WJkL6KiDlDVupKwL3vvjs=
|
||||
cuelang.org/go v0.4.0-beta.1 h1:/YjeAmymfNdTLSA3jHXNrj8Q+5Zq9by7qNOssqUBM+c=
|
||||
cuelang.org/go v0.4.0-beta.1/go.mod h1:tz/edkPi+T37AZcb5GlPY+WJkL6KiDlDVupKwL3vvjs=
|
||||
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
|
||||
dmitri.shuralyov.com/gpu/mtl v0.0.0-20201218220906-28db891af037/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
|
||||
filippo.io/age v1.0.0-beta7 h1:RZiSK+N3KL2UwT82xiCavjYw8jJHzWMEUYePAukTpk0=
|
||||
filippo.io/age v1.0.0-beta7/go.mod h1:chAuTrTb0FTTmKtvs6fQTGhYTvH9AigjN1uEUsvLdZ0=
|
||||
filippo.io/age v1.0.0-rc.1 h1:jQ+dz16Xxx3W/WY+YS0J96nVAAidLHO3kfQe0eOmKgI=
|
||||
filippo.io/age v1.0.0-rc.1/go.mod h1:Vvd9IlwNo4Au31iqNZeZVnYtGcOf/wT4mtvZQ2ODlSk=
|
||||
filippo.io/edwards25519 v1.0.0-alpha.2/go.mod h1:X+pm78QAUPtFLi1z9PYIlS/bdDnvbCOGKtZ+ACWEf7o=
|
||||
git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
|
||||
git.apache.org/thrift.git v0.12.0/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
|
||||
@ -879,8 +880,8 @@ github.com/rogpeppe/go-internal v1.5.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTE
|
||||
github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
|
||||
github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
|
||||
github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
|
||||
github.com/rs/zerolog v1.22.0 h1:XrVUjV4K+izZpKXZHlPrYQiDtmdGiCylnT4i43AAWxg=
|
||||
github.com/rs/zerolog v1.22.0/go.mod h1:ZPhntP/xmq1nnND05hhpAh2QMhSsA4UN3MGZ6O2J3hM=
|
||||
github.com/rs/zerolog v1.21.0 h1:Q3vdXlfLNT+OftyBHsU0Y445MD+8m8axjKgf2si0QcM=
|
||||
github.com/rs/zerolog v1.21.0/go.mod h1:ZPhntP/xmq1nnND05hhpAh2QMhSsA4UN3MGZ6O2J3hM=
|
||||
github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto=
|
||||
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
|
||||
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
||||
@ -899,7 +900,6 @@ github.com/securego/gosec v0.0.0-20200103095621-79fbf3af8d83/go.mod h1:vvbZ2Ae7A
|
||||
github.com/securego/gosec v0.0.0-20200401082031-e946c8c39989/go.mod h1:i9l/TNj+yDFh9SZXUTvspXTjbFXgZGP/UvhU1S65A4A=
|
||||
github.com/securego/gosec/v2 v2.3.0/go.mod h1:UzeVyUXbxukhLeHKV3VVqo7HdoQR9MrRfFmZYotn8ME=
|
||||
github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
|
||||
github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
|
||||
github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
|
||||
github.com/serialx/hashring v0.0.0-20190422032157-8b2912629002/go.mod h1:/yeG0My1xr/u+HZrFQ1tOQQQQrOawfyMUH13ai5brBc=
|
||||
github.com/shirou/gopsutil v0.0.0-20190901111213-e4ec7b275ada/go.mod h1:WWnYX4lzhCH5h/3YBfyVA3VbLYjlMZZAQcW9ojMexNc=
|
||||
@ -1084,6 +1084,7 @@ golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPh
|
||||
golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
|
||||
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
|
||||
golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 h1:/ZScEX8SfEmUGRHs0gxpqteO5nfNW6axyZbBdw9A12g=
|
||||
golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
|
||||
golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
|
Reference in New Issue
Block a user