Read secrets from a file

1 files changed, 137 insertions, 19 deletions

diff --git a/main.go b/main.go
index 777a2d7..2c99e0e 100644
--- a/main.go
+++ b/main.go
@@ -2,9 +2,13 @@ package main
 
 import (
         "bytes"
+        "encoding/json"
+        "errors"
         "fmt"
         "github.com/miekg/dns"
+        "io/ioutil"
         "net/http"
+        "strings"
         "text/template"
         "time"
 )
@@ -14,17 +18,115 @@ type Zone struct {
         View string
 }
 
-var SECRETS = map[string]string{
-        "crute-me-internal.":          "",
-        "crute-me-external.":          "",
-        "crute-us-internal.":          "",
-        "crute-us-external.":          "",
-        "crute-org-internal.":         "",
-        "crute-org-external.":         "",
-        "faldowski-com-internal.":     "",
-        "faldowski-com-external.":     "",
-        "softgroupcorp-com-internal.": "",
-        "softgroupcorp-com-external.": "",
+type TSIGSecrets struct {
+        secrets   map[string]map[string]TSIGSecret
+        viewzones map[string][]string
+}
+
+func NewTSIGSecrets() *TSIGSecrets {
+        return &TSIGSecrets{
+                secrets:   make(map[string]map[string]TSIGSecret),
+                viewzones: make(map[string][]string),
+        }
+}
+
+func (t *TSIGSecrets) GetViews() []string {
+        r := make([]string, 0, len(t.viewzones))
+        for k := range t.viewzones {
+                r = append(r, k)
+        }
+        return r
+}
+
+func (t *TSIGSecrets) GetViewZones() map[string][]string {
+        return t.viewzones
+}
+
+func (t *TSIGSecrets) UnmarshalJSON(d []byte) error {
+        v := make(map[string]map[string]string)
+
+        if err := json.Unmarshal(d, &v); err != nil {
+                return err
+        }
+
+        for k, v := range v {
+                o := strings.Split(k, "-")
+                view := o[len(o)-1]
+
+                d := make([]string, len(o))
+                copy(d, o[:len(o)-1])
+                dn := strings.Join(d, ".")
+
+                a, ok := v["algorithm"]
+                if !ok {
+                        a = "hmac-sha256."
+                }
+
+                if !strings.HasSuffix(a, ".") {
+                        a = fmt.Sprintf("%s.", a)
+                }
+
+                if _, ok := t.viewzones[view]; !ok {
+                        t.viewzones[view] = make([]string, 1)
+                        t.viewzones[view] = append(t.viewzones[view], dn)
+                } else {
+                        t.viewzones[view] = append(t.viewzones[view], dn)
+                }
+
+                if _, ok := t.secrets[view]; !ok {
+                        t.secrets[view] = make(map[string]TSIGSecret)
+                }
+
+                if !strings.HasSuffix(k, ".") {
+                        k = fmt.Sprintf("%s.", k)
+                }
+
+                t.secrets[view][dn] = TSIGSecret{
+                        KeyName:   k,
+                        Algorithm: a,
+                        Secret:    v["secret"],
+                }
+        }
+
+        return nil
+}
+
+func (t *TSIGSecrets) GetSecret(zone, view string) (*TSIGSecret, error) {
+        if !strings.HasSuffix(zone, ".") {
+                zone = fmt.Sprintf("%s.", zone)
+        }
+
+        if _, ok := t.secrets[view]; !ok {
+                return nil, errors.New("No keys for requested zone")
+        }
+
+        key, ok := t.secrets[view][zone]
+        if !ok {
+                return nil, errors.New("No keys for requested view of zone")
+        }
+
+        return &key, nil
+}
+
+type Signable interface {
+        SetTsig(string, string, uint16, int64) *dns.Msg
+}
+
+// TODO: Name and Algorithm end with dot (.)
+type TSIGSecret struct {
+        KeyName   string
+        Algorithm string `json:"algorithm"`
+        Secret    string `json:"secret"`
+}
+
+func (t *TSIGSecret) Sign(r Signable) {
+        r.SetTsig(t.KeyName, t.Algorithm, 300, time.Now().Unix())
+}
+
+func (t *TSIGSecret) AsMap() map[string]string {
+        return map[string]string{
+                t.KeyName: t.Secret,
+        }
 }
 
 func getValue(v interface{}) string {
@@ -62,15 +164,17 @@ func getValue(v interface{}) string {
         }
 }
 
-func getDns() chan *dns.Envelope {
+func getDns(sm *TSIGSecrets) chan *dns.Envelope {
+        s, _ := sm.GetSecret("crute.us", "external")
+
         c := &dns.Transfer{}
-        c.TsigSecret = SECRETS
+        c.TsigSecret = s.AsMap()
 
         m := &dns.Msg{}
-        m.SetAxfr("crute.me.")
-        m.SetTsig("crute-me-internal.", dns.HmacSHA256, 300, time.Now().Unix())
+        m.SetAxfr("crute.us.")
+        s.Sign(m)
 
-        in, err := c.In(m, "172.31.46.225:53")
+        in, err := c.In(m, "172.16.18.52:53")
         if err != nil {
                 fmt.Printf("Error: %s\n", err.Error())
                 return nil
@@ -109,10 +213,24 @@ func handler(w http.ResponseWriter, r *http.Request) {
                 "dnsTTL":   dnsTTL,
         }
         t, _ := template.New("").Funcs(fm).ParseFiles("dns.html")
-        t.ExecuteTemplate(w, "dns.html", getDns())
+        t.ExecuteTemplate(w, "dns.html", getDns(nil))
 }
 
 func main() {
-        http.HandleFunc("/", handler)
-        http.ListenAndServe(":8080", nil)
+        /*
+                http.HandleFunc("/", handler)
+                http.ListenAndServe(":8080", nil)
+        */
+
+        c, _ := ioutil.ReadFile("secrets.json")
+        k := NewTSIGSecrets()
+        json.Unmarshal(c, k)
+
+        //fmt.Printf("%+v\n", k)
+        for r := range getDns(k) {
+                for _, rr := range r.RR {
+                        /* hlen := len(rr.Header().String())
+                           fmt.Printf("%+v\n", rr.String()[hlen:]) */
+                }
+        }
 }