1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
package secrets
import (
"context"
"crypto/rsa"
"crypto/x509"
"encoding/base64"
"fmt"
"sync"
"time"
"code.crute.us/mcrute/golib/log"
"code.crute.us/mcrute/golib/service"
)
type Handle interface {
Reference() string
}
type Renewal struct {
Name string
Critical bool
Time time.Time
Error error
}
type Credential struct {
Username string `json:"username" mapstructure:"username" yaml:"username"`
Password string `json:"password" mapstructure:"password" yaml:"password"`
}
type ApiKey struct {
Key string `json:"key" mapstructure:"key" yaml:"key"`
}
type AWSCredential struct {
AccessKeyId string `json:"access_key" mapstructure:"access_key" yaml:"access_key"`
SecretAccessKey string `json:"secret_key" mapstructure:"secret_key" yaml:"secret_key"`
SessionToken string `json:"security_token" mapstructure:"security_token" yaml:"security_token"`
}
type RSAKey struct {
Key string `json:"key" mapstructure:"key" yaml:"key"`
}
func (k *RSAKey) RSAPrivateKey() (*rsa.PrivateKey, error) {
der, err := base64.StdEncoding.DecodeString(k.Key)
if err != nil {
return nil, err
}
pr, err := x509.ParsePKCS8PrivateKey(der)
if err != nil {
return nil, err
}
pk, ok := pr.(*rsa.PrivateKey)
if !ok {
return nil, fmt.Errorf("RSAKey: parsed key is not an rsa.PrivateKey")
}
return pk, nil
}
// Client is the interface that users of secrets returned by a secret
// back-end should expect. This interface contains only secret related
// functionality and none of the functions for running the back-end
// itself. This is separate from the manager functions to make it easier
// to inject stubs to code that doesn't care about the fact that a
// manager may exist.
type Client interface {
DatabaseCredential(ctx context.Context, suffix string) (*Credential, Handle, error)
Secret(ctx context.Context, suffix string, out any) (Handle, error)
RawSecret(ctx context.Context, path string, out any) (Handle, error)
AWSIAMUser(ctx context.Context, name string) (*AWSCredential, Handle, error)
AWSAssumeRoleSimple(ctx context.Context, name string) (*AWSCredential, Handle, error)
AWSAssumeRole(ctx context.Context, name string, sessionName string, ttl time.Duration) (*AWSCredential, Handle, error)
WriteSecret(ctx context.Context, suffix string, out any) error
Encrypt(ctx context.Context, suffix string, data []byte) (string, error)
Decrypt(ctx context.Context, suffix, data string) ([]byte, error)
Destroy(Handle) error
MakeNonCritical(Handle) error
}
// ClientManager is like a Client, and contains a Client, but also
// contains other runtime functionality for running the secret back-end
// infrastructure that most consumers of secretes don't care about but
// the main process runner does.
type ClientManager interface {
Client
Authenticate(context.Context) error
Notifications() <-chan Renewal
Run(context.Context, *sync.WaitGroup) error
}
// MakeRenewalLogger subscribes to a ClientManager notification channel
// and logs those to the logger. If a critical credential fails the
// terminator callback will be called which should shut down the
// application in an orderly fashion.
func MakeRenewalLogger(cm ClientManager, log log.LeveledLogger, terminator func()) service.RunnerFunc {
return func(ctx context.Context, wg *sync.WaitGroup) error {
wg.Add(1)
defer wg.Done()
for {
select {
case r := <-cm.Notifications():
if r.Error != nil {
if r.Critical {
log.Errorf("Failed to renew critical secret %s due to %s", r.Name, r.Error)
terminator()
} else {
log.Errorf("Failed to renew non-critical secret %s", r.Name)
}
} else {
log.Infof("Renewing credential %s", r.Name)
}
case <-ctx.Done():
log.Infof("Shutting down secret renewal logger")
return nil
}
}
}
}
|