/
main.go
178 lines (149 loc) · 5.13 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
// Copyright 2019 The Go Cloud Development Kit Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// gocdk-secrets demonstrates the use of the Go CDK secrets package in a
// simple command-line application.
package main
import (
"context"
"encoding/base64"
"flag"
"fmt"
"log"
"os"
"github.com/eliben/gocdkx/secrets"
"github.com/google/subcommands"
// Import the secrets driver packages we want to be able to open.
_ "github.com/eliben/gocdkx/contrib/secrets/vault"
_ "github.com/eliben/gocdkx/secrets/awskms"
_ "github.com/eliben/gocdkx/secrets/azurekeyvault"
_ "github.com/eliben/gocdkx/secrets/gcpkms"
_ "github.com/eliben/gocdkx/secrets/localsecrets"
)
const helpSuffix = `
See https://github.com/eliben/gocdkx/concepts/urls/ for more background on
Go CDK URLs, and sub-packages under github.com/eliben/gocdkx/secrets
(https://godoc.org/github.com/eliben/gocdkx/secrets#pkg-subdirectories)
for details on the secrets.Keeper URL format.
`
func main() {
subcommands.Register(subcommands.HelpCommand(), "")
subcommands.Register(&decryptCmd{}, "")
subcommands.Register(&encryptCmd{}, "")
log.SetFlags(0)
log.SetPrefix("gocdk-secrets: ")
flag.Parse()
os.Exit(int(subcommands.Execute(context.Background())))
}
type decryptCmd struct {
base64in bool
base64out bool
}
func (*decryptCmd) Name() string { return "decrypt" }
func (*decryptCmd) Synopsis() string { return "Decrypt data" }
func (*decryptCmd) Usage() string {
return `decrypt [-base64in] [-base64out] <keeper URL> <ciphertext>
Decrypt the ciphertext using <keeper URL> and print the result to stdout.
Example:
gocdk-secrets decrypt stringkey://mykey nzam9AJHqH1sqeEr1ZLMbWOf4pp5NRHKYBx/h8loARL83+CBc0WPh8dYzHfccQYFUQ==` + helpSuffix
}
func (cmd *decryptCmd) SetFlags(f *flag.FlagSet) {
f.BoolVar(&cmd.base64in, "base64in", true, "the ciphertext is base64 encoded")
f.BoolVar(&cmd.base64out, "base64out", false, "the resulting plaintext should be base64 encoded before printing it out")
}
func (cmd *decryptCmd) Execute(ctx context.Context, f *flag.FlagSet, _ ...interface{}) subcommands.ExitStatus {
if f.NArg() != 2 {
f.Usage()
return subcommands.ExitUsageError
}
keeperURL := f.Arg(0)
ciphertext := f.Arg(1)
cipher := []byte(ciphertext)
if cmd.base64in {
var err error
cipher, err = base64.StdEncoding.DecodeString(ciphertext)
if err != nil {
log.Printf("Failed to base64 decode ciphertext: %v\n", err)
return subcommands.ExitFailure
}
}
// Open a *secrets.Keeper using the keeperURL.
keeper, err := secrets.OpenKeeper(ctx, keeperURL)
if err != nil {
log.Printf("Failed to open keeper: %v\n", err)
return subcommands.ExitFailure
}
defer keeper.Close()
plain, err := keeper.Decrypt(ctx, cipher)
if err != nil {
log.Printf("Failed to decrypt: %v\n", err)
return subcommands.ExitFailure
}
plaintext := string(plain)
if cmd.base64out {
plaintext = base64.StdEncoding.EncodeToString(plain)
}
fmt.Println(plaintext)
return subcommands.ExitSuccess
}
type encryptCmd struct {
base64in bool
base64out bool
}
func (*encryptCmd) Name() string { return "encrypt" }
func (*encryptCmd) Synopsis() string { return "Encrypt data" }
func (*encryptCmd) Usage() string {
return `encrypt [-base64in] [-base64out] <keeper URL> <plaintext>
Encrypt the plaintext using <keeper URL> and print the result to stdout.
Example:
gocdk-secrets encrypt --base64out stringkey://mykey my-plaintext` + helpSuffix
}
func (cmd *encryptCmd) SetFlags(f *flag.FlagSet) {
f.BoolVar(&cmd.base64in, "base64in", false, "the plaintext is base64 encoded")
f.BoolVar(&cmd.base64out, "base64out", true, "the resulting ciphertext should be base64 encoded before printing it out")
}
func (cmd *encryptCmd) Execute(ctx context.Context, f *flag.FlagSet, _ ...interface{}) subcommands.ExitStatus {
if f.NArg() != 2 {
f.Usage()
return subcommands.ExitUsageError
}
keeperURL := f.Arg(0)
plaintext := f.Arg(1)
plain := []byte(plaintext)
if cmd.base64in {
var err error
plain, err = base64.StdEncoding.DecodeString(plaintext)
if err != nil {
log.Printf("Failed to base64 decode plaintext: %v\n", err)
return subcommands.ExitFailure
}
}
// Open a *secrets.Keeper using the keeperURL.
keeper, err := secrets.OpenKeeper(ctx, keeperURL)
if err != nil {
log.Printf("Failed to open keeper: %v\n", err)
return subcommands.ExitFailure
}
defer keeper.Close()
cipher, err := keeper.Encrypt(ctx, plain)
if err != nil {
log.Printf("Failed to encrypt: %v\n", err)
return subcommands.ExitFailure
}
ciphertext := string(cipher)
if cmd.base64out {
ciphertext = base64.StdEncoding.EncodeToString(cipher)
}
fmt.Println(ciphertext)
return subcommands.ExitSuccess
}