Skip to content

Commit

Permalink
+
Browse files Browse the repository at this point in the history
+
  • Loading branch information
oluceps committed Sep 15, 2024
1 parent 7c40183 commit e6cb327
Show file tree
Hide file tree
Showing 2 changed files with 79 additions and 13 deletions.
1 change: 1 addition & 0 deletions TODO.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- [ ] should get entire Secret when deploy
91 changes: 78 additions & 13 deletions src/cmd/deploy.rs
Original file line number Diff line number Diff line change
@@ -1,15 +1,19 @@
use std::{
collections::HashMap,
fs::{self, DirEntry, ReadDir},
io::ErrorKind,
fs::{self, DirEntry, File, ReadDir},
io::{ErrorKind, Read, Write},
iter,
path::{Path, PathBuf},
str::FromStr,
};

use crate::profile::Profile;

use age::x25519;
use eyre::{eyre, Context, Result};
use spdlog::{debug, error, info};
use spdlog::{debug, error, info, trace};

const KEY_TYPE: &str = "ed25519";
impl Profile {
pub fn get_decrypted_mount_point_path(&self) -> String {
self.settings.decrypted_mount_point.to_string()
Expand All @@ -20,13 +24,35 @@ impl Profile {
pub fn read_decrypted_mount_point(&self) -> std::io::Result<ReadDir> {
fs::read_dir(self.get_decrypted_mount_point_path())
}

pub fn get_host_key_identity(&self) -> Result<age::ssh::Identity> {
if let Some(k) = self
.settings
.host_keys
.iter()
.find(|i| i.r#type == KEY_TYPE)
{
fs::read_to_string(&k.path)
.wrap_err_with(|| eyre!("reading ssh host key error: {}", k.path))
.and_then(|i| {
age::ssh::Identity::from_buffer(i.as_bytes(), Some(String::from("thekey")))
.map_err(|e| eyre!("convert age identity from ssh key error: {}", e))
})
} else {
Err(eyre!("key with type {} not found", KEY_TYPE))
}
}
/// init decrypted mount point and return the generation count
pub fn init_decrypted_mount_point(&self) -> Result<usize> {
let mut max = 0;
let b = match self.read_decrypted_mount_point() {
let res = match self.read_decrypted_mount_point() {
Err(e) if e.kind() == ErrorKind::NotFound => {
fs::create_dir_all(self.get_decrypted_mount_point_path())
.wrap_err("create decrypted mountpoint error")
fs::create_dir_all(self.get_decrypted_mount_point_path()).wrap_err_with(|| {
format!(
"creating decrypted mountpoint: {:?}",
self.get_decrypted_mount_point_path()
)
})
}
Err(e) => {
error!("{}", e);
Expand Down Expand Up @@ -56,13 +82,14 @@ impl Profile {
}
};

Ok(max)
res.map(|_| max)
}
/**
extract secrets to `/run/vaultix.d/$num` and link to `/run/vaultix`
*/
pub fn deploy(self) -> Result<()> {
let storage_name_ctt_map: HashMap<String, Vec<u8>> = {
// hash-name.age => vec<u8>
let name_ciphertext_map: HashMap<String, Vec<u8>> = {
let mut map = HashMap::new();
// dir with host pub key encrypted material, prefix hash
let storage = PathBuf::from(&self.settings.storage_dir_store);
Expand All @@ -80,12 +107,50 @@ impl Profile {
map
};

let secs_map = self.get_renced_store_paths().into_map();
trace!("{:?}", name_ciphertext_map);

for s in secs_map.values().into_iter() {
debug!("found cipher file {:?}", s.canonicalize()?);
}
let generation_count = self.init_decrypted_mount_point()?;

let target_extract_dir_with_gen = {
let mut p = PathBuf::from(self.get_decrypted_mount_point_path());
p.push(generation_count.to_string());

debug!("target extract dir with generation number: {:?}", p);

fs::create_dir_all(&p).map(|_| p).wrap_err(eyre!(
"cannot create target extract dir with generation number"
))?
};

let decrypt_host_ident = &self.get_host_key_identity()?;

name_ciphertext_map.into_iter().for_each(|(n, c)| {
let decryptor = match age::Decryptor::new(&c[..]).expect("parse cipher text error") {
age::Decryptor::Recipients(d) => d,
_ => unreachable!(),
};

let mut decrypted = vec![];

let mut reader = decryptor
.decrypt(iter::once(decrypt_host_ident as &dyn age::Identity))
.unwrap();

let _ = reader.read_to_end(&mut decrypted);

let mut the_file_fd = {
let mut p = target_extract_dir_with_gen.clone();
p.push(n);
File::create(p)
}
.expect("create file error");
the_file_fd
.write_all(&decrypted)
.expect("write decrypted file error")
});

Ok(())
// link back to /run/vaultix
std::os::unix::fs::symlink(target_extract_dir_with_gen, self.get_decrypt_dir_path())
.wrap_err("create symlink error")
}
}

0 comments on commit e6cb327

Please sign in to comment.