eliminate deps and update

umputun · Mar 16, 2021 · cce7811 · cce7811
1 parent 8a8e018
commit cce7811
Show file tree

Hide file tree

Showing 75 changed files with 804 additions and 5,565 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - name: set up go 1.13
-      uses: actions/setup-go@v1
+    - name: set up go 1.16
+      uses: actions/setup-go@v2
       with:
-        go-version: 1.13
+        go-version: 1.16
       id: go
 
     - name: Check out code into the Go module directory

diff --git a/.gitignore b/.gitignore
@@ -20,3 +20,4 @@ debug.test
 /web/public/
 *.prof
 *.test
+/var
diff --git a/Makefile b/Makefile
@@ -0,0 +1,28 @@
+B=$(shell git rev-parse --abbrev-ref HEAD)
+BRANCH=$(subst /,-,$(B))
+GITREV=$(shell git describe --abbrev=7 --always --tags)
+REV=$(GITREV)-$(BRANCH)-$(shell date +%Y%m%d-%H:%M:%S)
+
+all: build docker frontend
+
+build: info
+	- cd backend/app; GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-X main.revision=$(REV)" -o ../target/secrets
+
+docker:
+	- docker build -t secrets:$(BRANCH) .
+
+frontend:
+	- docker run --rm -it --name=secrets.tmp -d secrets:$(BRANCH) /bin/sh
+	- docker cp secrets.tmp:/srv/docroot/ ./var/docroot
+	- docker rm -f secrets.tmp
+
+push:
+	- docker secrets:${BRANCH}
+
+check:
+	- cd backend/app; golangci-lint run --out-format=tab --tests=false ./...
+
+info:
+	- @echo "revision $(REV)"
+
+.PHONY: bin info frontend docker
diff --git a/backend/app/main.go b/backend/app/main.go
@@ -20,6 +20,7 @@ var opts struct {
 	MaxExpire      time.Duration `long:"expire" env:"MAX_EXPIRE" default:"24h" description:"max lifetime"`
 	MaxPinAttempts int           `long:"pinattempts" env:"PIN_ATTEMPTS" default:"3" description:"max attempts to enter pin"`
 	BoltDB         string        `long:"bolt" env:"BOLT_FILE" default:"/tmp/secrets.bd" description:"boltdb file"`
+	WebRoot        string        `long:"web" env:"WEB" default:"/srv/docroot" description:"web ui location"`
 	Dbg            bool          `long:"dbg" description:"debug mode"`
 }
 
@@ -42,14 +43,15 @@ func main() {
 		PinSize:        opts.PinSize,
 		MaxExpire:      opts.MaxExpire,
 		MaxPinAttempts: opts.MaxPinAttempts,
+		WebRoot:        opts.WebRoot,
 		Version:        revision,
 	}
 	if err := srv.Run(); err != nil {
 		log.Printf("[ERROR] failed, %+v", err)
 	}
 }
 
-func getEngine(engineType, boltFile string) store.Engine {
+func getEngine(engineType, boltFile string) messager.Engine {
 	switch engineType {
 	case "MEMORY":
 		return store.NewInMemory(time.Minute * 5)

diff --git a/backend/app/messager/crypt.go b/backend/app/messager/crypt.go
@@ -1,12 +1,13 @@
 package messager
 
 import (
-	"encoding/hex"
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
+	"io"
 
-	"github.com/kevinburke/nacl"
-	"github.com/kevinburke/nacl/secretbox"
 	"github.com/pkg/errors"
+	"golang.org/x/crypto/nacl/secretbox"
 )
 
 // Crypt data with a global key + pin
@@ -25,33 +26,47 @@ type Request struct {
 // Encrypt to hex with secretbox
 func (c Crypt) Encrypt(req Request) ([]byte, error) {
 
-	if len(c.Key)+len(req.Pin) != 32 {
-		return nil, errors.New("key+pin should be 32 bytes")
+	keyWithPin := fmt.Sprintf("%s%s", c.Key, req.Pin)
+	if len(keyWithPin) != 32 {
+		return nil, errors.Errorf("key+pin should be 32 bytes, got %d", len(keyWithPin))
 	}
-	hexKey := hex.EncodeToString([]byte(fmt.Sprintf("%s%s", c.Key, req.Pin)))
-	key, err := nacl.Load(hexKey)
-	if err != nil {
-		return nil, errors.Wrap(err, "can't make encryption key")
+
+	naclKey := new([32]byte)
+	copy(naclKey[:], keyWithPin[:32])
+	nonce := new([24]byte)
+	if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
+		return nil, errors.Wrap(err, "could not read from random")
 	}
-	return secretbox.EasySeal(req.Data, key), nil
+	out := make([]byte, 24)
+	copy(out, nonce[:])
+	sealed := secretbox.Seal(out, req.Data, nonce, naclKey)
+	return []byte(base64.StdEncoding.EncodeToString(sealed)), nil
 }
 
 // Decrypt from hex with secretbox
 func (c Crypt) Decrypt(req Request) ([]byte, error) {
-
-	if len(c.Key)+len(req.Pin) != 32 {
+	keyWithPin := fmt.Sprintf("%s%s", c.Key, req.Pin)
+	if len(keyWithPin) != 32 {
 		return nil, errors.New("key+pin should be 32 bytes")
 	}
-	key, err := nacl.Load(hex.EncodeToString([]byte(fmt.Sprintf("%s%s", c.Key, req.Pin))))
+
+	naclKey := new([32]byte)
+	copy(naclKey[:], keyWithPin[:32])
+
+	sealed, err := base64.StdEncoding.DecodeString(string(req.Data))
 	if err != nil {
-		return nil, errors.Wrap(err, "can't make decryption key")
+		return nil, errors.Wrap(err, "failed to decode")
 	}
 
-	decrypted, err := secretbox.EasyOpen(req.Data, key)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to decrypt")
+	nonce := new([24]byte)
+	copy(nonce[:], sealed[:24])
+
+	decrypted, ok := secretbox.Open(nil, sealed[24:], nonce, naclKey)
+	if !ok {
+		return nil, errors.New("failed to decrypt")
 	}
 	return decrypted, nil
+
 }
 
 // MakeSignKey creates 32-pin bytes signKey for AES256

diff --git a/backend/app/messager/crypt_mock.go b/backend/app/messager/crypt_mock.go
diff --git a/backend/app/messager/crypt_test.go b/backend/app/messager/crypt_test.go
@@ -40,7 +40,7 @@ func TestCrypt(t *testing.T) {
 		{
 			data: "dfasdfasd asdfasdfa asdfasdf asdfasdfasdf asdfasdf",
 			pin:  "abcd",
-			err:  fmt.Errorf("key+pin should be 32 bytes"),
+			err:  fmt.Errorf("key+pin should be 32 bytes, got 31"),
 		},
 	}