diff --git a/Dockerfile b/Dockerfile index 5d7b30e..f4986ba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,4 +5,4 @@ RUN apk add --no-cache ca-certificates && update-ca-certificates EXPOSE 8080 -CMD secrethub-http-proxy -C ${SECRETHUB_CREDENTIAL:-$(cat /secrethub/credential)} -P ${SECRETHUB_CREDENTIAL_PASSPHRASE} -h 0.0.0.0 -p 8080 +CMD secrethub-http-proxy -C ${SECRETHUB_CREDENTIAL:-$(cat /secrethub/credential)} -P ${SECRETHUB_CREDENTIAL_PASSPHRASE:-""} -h 0.0.0.0 -p 8080 diff --git a/cmd/secrethub-http-proxy/main.go b/cmd/secrethub-http-proxy/main.go index 3c7dcc5..dae9a56 100644 --- a/cmd/secrethub-http-proxy/main.go +++ b/cmd/secrethub-http-proxy/main.go @@ -10,6 +10,7 @@ import ( "github.com/keylockerbv/secrethub-http-proxy/pkg/restproxy" "github.com/secrethub/secrethub-go/pkg/secrethub" + "golang.org/x/crypto/ssh/terminal" ) var ( @@ -32,7 +33,7 @@ func init() { exit(fmt.Errorf("credential is required")) } - cred, err := secrethub.NewCredential(credential, credentialPassphrase) + cred, err := findCredential(credential, credentialPassphrase) if err != nil { exit(err) } @@ -40,6 +41,38 @@ func init() { client = secrethub.NewClient(cred, nil) } +func findCredential(credential string, passphrase string) (secrethub.Credential, error) { + parser := secrethub.NewCredentialParser(secrethub.DefaultCredentialDecoders) + + encoded, err := parser.Parse(credential) + if err != nil { + return nil, err + } + + if encoded.IsEncrypted() { + if passphrase == "" { + passphrase, err = promptPassword() + if err != nil { + return nil, err + } + } + + key, err := secrethub.NewPassBasedKey([]byte(passphrase)) + if err != nil { + return nil, err + } + + credential, err := encoded.DecodeEncrypted(key) + if err != nil { + return nil, err + } + + return credential, err + } + + return encoded.Decode() +} + func main() { proxy := restproxy.NewRESTProxy(client, host, port) @@ -52,6 +85,17 @@ func main() { } } +func promptPassword() (string, error) { + fmt.Printf("Please put in the passphrase to unlock your credential:") + password, err := terminal.ReadPassword(int(syscall.Stdin)) + fmt.Println() + if err != nil { + return "", err + } + + return string(password), nil +} + func gracefulShutdown(proxy restproxy.ClientProxy) { sigint := make(chan os.Signal, 1) diff --git a/go.mod b/go.mod index b228807..8c3d50b 100644 --- a/go.mod +++ b/go.mod @@ -3,4 +3,6 @@ module github.com/keylockerbv/secrethub-http-proxy require ( github.com/gorilla/mux v1.7.0 github.com/secrethub/secrethub-go v0.17.0 + golang.org/x/crypto v0.0.0-20190225124518-7f87c0fbb88b + golang.org/x/sys v0.0.0-20190329044733-9eb1bfa1ce65 // indirect ) diff --git a/go.sum b/go.sum index b1e57be..e874321 100644 --- a/go.sum +++ b/go.sum @@ -31,5 +31,7 @@ github.com/secrethub/secrethub-go v0.17.0 h1:AlRbFlLofhzY7Onv1QRI0u0iB4UTr8PCrNW github.com/secrethub/secrethub-go v0.17.0/go.mod h1:gqrxdTNcVowCy/Bo49Y+7En12aV24wnoG3ktUF9xW/k= golang.org/x/crypto v0.0.0-20190225124518-7f87c0fbb88b h1:+/WWzjwW6gidDJnMKWLKLX1gxn7irUTF1fLpQovfQ5M= golang.org/x/crypto v0.0.0-20190225124518-7f87c0fbb88b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/sys v0.0.0-20190329044733-9eb1bfa1ce65 h1:hOY+O8MxdkPV10pNf7/XEHaySCiPKxixMKUshfHsGn0= +golang.org/x/sys v0.0.0-20190329044733-9eb1bfa1ce65/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=