@reegaviljoen/eldlock 0.1.0

package/eldlock-server/cmd/eldlock-server/main.go

@@ -0,0 +1,132 @@
+package main
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"syscall"
+
+	"github.com/eldlock/eldlock-server/internal/api"
+	"github.com/eldlock/eldlock-server/internal/yubikey"
+)
+
+func main() {
+	if len(os.Args) > 1 && os.Args[1] == "version" {
+		fmt.Println("eldlock-server dev")
+		return
+	}
+
+	if len(os.Args) > 1 && os.Args[1] == "init" {
+		if err := initVault(argAt(2)); err != nil {
+			fmt.Fprintln(os.Stderr, err)
+			os.Exit(1)
+		}
+		return
+	}
+
+	if len(os.Args) > 1 && os.Args[1] == "serve" {
+		if err := serve(); err != nil {
+			fmt.Fprintln(os.Stderr, err)
+			os.Exit(1)
+		}
+		return
+	}
+
+	fmt.Println(`eldlock-server
+
+Usage:
+  eldlock-server version
+  eldlock-server init [name]
+  eldlock-server serve
+
+The serve command starts the local Unix socket API used by eldlock-cli.`)
+}
+
+func initVault(vaultName string) error {
+	stateDir := defaultStateDir()
+	provider, err := yubikey.NewProviderFromEnv()
+	if err != nil {
+		return err
+	}
+	resolver := api.FileStoreResolver{StateDir: stateDir, KeyProvider: provider}
+	normalizedName, err := api.NormalizeVaultName(vaultName)
+	if err != nil {
+		return err
+	}
+	secretStore, err := resolver.StoreForVault(normalizedName)
+	if err != nil {
+		return err
+	}
+	if err := secretStore.Init(); err != nil {
+		return err
+	}
+	fmt.Printf("initialized Eldlock vault %q at %s using %s\n", normalizedName, resolver.PathForVault(normalizedName), provider.Name())
+	return nil
+}
+
+func serve() error {
+	socketPath := defaultSocketPath()
+	stateDir := defaultStateDir()
+
+	provider, err := yubikey.NewProviderFromEnv()
+	if err != nil {
+		return err
+	}
+	resolver := api.FileStoreResolver{StateDir: stateDir, KeyProvider: provider}
+	defaultStore, err := resolver.StoreForVault(api.DefaultVaultName)
+	if err != nil {
+		return err
+	}
+	service := api.NewService(defaultStore)
+	service.StoreResolver = resolver
+	server := api.Server{
+		SocketPath: socketPath,
+		Service:    service,
+	}
+
+	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	defer stop()
+
+	fmt.Printf("eldlock-server listening on %s\n", socketPath)
+	fmt.Printf("encrypted vault state at %s\n", stateDir)
+	fmt.Printf("passkey provider %s\n", provider.Name())
+	return server.ListenAndServe(ctx)
+}
+
+func argAt(index int) string {
+	if len(os.Args) > index {
+		return os.Args[index]
+	}
+	return ""
+}
+
+func defaultSocketPath() string {
+	if value := os.Getenv("ELDLOCK_SOCKET"); value != "" {
+		return value
+	}
+	sum := sha256.Sum256([]byte(defaultStateDir()))
+	digest := hex.EncodeToString(sum[:])[:16]
+	return filepath.Join(os.TempDir(), "eldlock", digest, "daemon.sock")
+}
+
+func defaultStorePath() string {
+	if value := os.Getenv("ELDLOCK_STORE"); value != "" {
+		return value
+	}
+	return filepath.Join(defaultStateDir(), "vault.json")
+}
+
+func defaultStateDir() string {
+	if value := os.Getenv("ELDLOCK_STATE_DIR"); value != "" {
+		return value
+	}
+	cwd, err := os.Getwd()
+	if err == nil {
+		return filepath.Join(cwd, ".eldlock")
+	}
+	return filepath.Join(os.TempDir(), "eldlock")
+}

package/eldlock-server/go.mod

@@ -0,0 +1,10 @@
+module github.com/eldlock/eldlock-server
+
+go 1.26
+
+require (
+	github.com/keys-pub/go-libfido2 v1.5.3 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+)
+
+replace github.com/keys-pub/go-libfido2 => ./internal/libfido2

package/eldlock-server/go.sum

@@ -0,0 +1,11 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/keys-pub/go-libfido2 v1.5.3 h1:vtgHxlSB43u6lj0TSuA3VvT6z3E7VI+L1a2hvMFdECk=
+github.com/keys-pub/go-libfido2 v1.5.3/go.mod h1:P0V19qHwJNY0htZwZDe9Ilvs/nokGhdFX7faKFyZ6+U=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

package/eldlock-server/internal/api/README.md

@@ -0,0 +1,14 @@
+# API
+
+Local Unix socket API for `eldlock-cli`, shell hooks, and other local integrations.
+
+The API is not trusted by default. Every request must be authorized by the server-side policy engine.
+
+Current testable commands:
+
+- `init` creates the daemon-owned prototype vault.
+- `secret.add` stores env and SSH secret material in the daemon-owned store.
+- `secret.read` releases a secret as either plaintext output or a server-side clipboard write.
+- `secret.list` returns secret names and types without values.
+
+The CLI forwards user intent to this API. It must not decide policy, inspect approval state, or write clipboard contents itself.

package/eldlock-server/internal/api/core.go

@@ -0,0 +1,126 @@
+package api
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/eldlock/eldlock-server/internal/store"
+	"github.com/eldlock/eldlock-server/internal/yubikey"
+)
+
+type SecretStore interface {
+	Init() error
+	IsInitialized() (bool, error)
+	Put(store.Secret) error
+	Get(string) (store.Secret, error)
+	Delete(string) error
+	List() ([]store.SecretSummary, error)
+}
+
+type PINSecretStore interface {
+	InitWithPIN(string) error
+	PutWithPIN(store.Secret, string) error
+	GetWithPIN(string, string) (store.Secret, error)
+	DeleteWithPIN(string, string) error
+	ListWithPIN(string) ([]store.SecretSummary, error)
+}
+
+type PINBulkSecretStore interface {
+	PutManyWithPIN([]store.Secret, string) error
+}
+
+type EnvSecretStore interface {
+	EnvWithPIN(string) (map[string]string, error)
+}
+
+type Clipboard interface {
+	Write(context.Context, string) error
+}
+
+type StoreResolver interface {
+	StoreForVault(string) (SecretStore, error)
+}
+
+type Service struct {
+	Store         SecretStore
+	StoreResolver StoreResolver
+	Clipboard     Clipboard
+}
+
+func NewService(secretStore SecretStore) *Service {
+	return &Service{
+		Store:     secretStore,
+		Clipboard: LocalClipboard{},
+	}
+}
+
+func (s *Service) Handle(ctx context.Context, req Request) Response {
+	service, response, ok := s.withRequestStore(req)
+	if !ok {
+		return response
+	}
+
+	switch req.Action {
+	case ActionHealth:
+		return Response{OK: true, Message: "eldlock-server ok"}
+	case ActionInit:
+		return service.initVault(req)
+	case ActionAddSecret:
+		return service.addSecret(req)
+	case ActionReadSecret:
+		return service.readSecret(ctx, req)
+	case ActionRemoveSecret:
+		return service.removeSecret(req)
+	case ActionListSecrets:
+		return service.listSecrets(req)
+	case ActionImportEnv:
+		return service.importEnv(req)
+	case ActionExec:
+		return service.execProcess(ctx, req)
+	default:
+		return failure("unknown action")
+	}
+}
+
+func (s *Service) withRequestStore(req Request) (*Service, Response, bool) {
+	if req.Action == ActionHealth || s.StoreResolver == nil {
+		return s, Response{}, true
+	}
+	secretStore, err := s.StoreResolver.StoreForVault(req.Vault)
+	if err != nil {
+		return nil, failure(fmt.Sprintf("resolve vault: %v", err)), false
+	}
+	scoped := *s
+	scoped.Store = secretStore
+	scoped.StoreResolver = nil
+	return &scoped, Response{}, true
+}
+
+func (s *Service) requireInitialized() Response {
+	initialized, err := s.Store.IsInitialized()
+	if err != nil {
+		return failure(fmt.Sprintf("check vault: %v", err))
+	}
+	if !initialized {
+		return failure("vault is not initialized; run eldlock init")
+	}
+	return Response{OK: true}
+}
+
+func failure(message string) Response {
+	return Response{OK: false, Error: message}
+}
+
+func pinAwareFailure(message string, err error) Response {
+	switch {
+	case errors.Is(err, yubikey.ErrPINRequired):
+		return Response{OK: false, Error: message, Code: "pin_required"}
+	case errors.Is(err, yubikey.ErrPINInvalid):
+		return Response{OK: false, Error: message, Code: "pin_invalid"}
+	case errors.Is(err, yubikey.ErrPINAuthBlocked):
+		return Response{OK: false, Error: message, Code: "pin_auth_blocked"}
+	default:
+		return failure(message)
+	}
+}

package/eldlock-server/internal/api/exec.go

@@ -0,0 +1,97 @@
+package api
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+)
+
+func (s *Service) execProcess(ctx context.Context, req Request) Response {
+	if response := s.requireInitialized(); !response.OK {
+		return response
+	}
+	if !req.Interactive && len(req.Command) == 0 && req.ShellCommand == "" {
+		return failure("exec command is required")
+	}
+	if len(req.Command) > 0 && req.Command[0] == "" {
+		return failure("exec command cannot be empty")
+	}
+	envSecrets, err := s.envWithPIN(req.PIN)
+	if err != nil {
+		return pinAwareFailure(fmt.Sprintf("load exec environment: %v", err), err)
+	}
+
+	if req.Interactive {
+		return Response{OK: true, Env: envSecrets}
+	}
+
+	cmd := execCommand(ctx, req)
+	if req.CWD != "" {
+		cmd.Dir = req.CWD
+	}
+	cmd.Env = envList(overlayEnv(req.Env, envSecrets))
+
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	err = cmd.Run()
+	exitCode := 0
+	if err != nil {
+		var exitErr *exec.ExitError
+		if errors.As(err, &exitErr) {
+			exitCode = exitErr.ExitCode()
+		} else {
+			return failure(fmt.Sprintf("run exec command: %v", err))
+		}
+	}
+
+	return Response{
+		OK:       true,
+		Stdout:   stdout.String(),
+		Stderr:   stderr.String(),
+		ExitCode: exitCode,
+	}
+}
+
+func execCommand(ctx context.Context, req Request) *exec.Cmd {
+	if req.ShellCommand == "" {
+		return exec.CommandContext(ctx, req.Command[0], req.Command[1:]...)
+	}
+
+	shell := req.Shell
+	if shell == "" {
+		shell = req.Env["SHELL"]
+	}
+	if shell == "" {
+		shell = os.Getenv("SHELL")
+	}
+	if shell == "" {
+		shell = "/bin/sh"
+	}
+
+	return exec.CommandContext(ctx, shell, "-lc", req.ShellCommand)
+}
+
+func overlayEnv(base map[string]string, values map[string]string) map[string]string {
+	env := make(map[string]string, len(base)+len(values))
+	for key, value := range base {
+		env[key] = value
+	}
+	for key, value := range values {
+		env[key] = value
+	}
+	return env
+}
+
+func envList(env map[string]string) []string {
+	out := make([]string, 0, len(env))
+	for key, value := range env {
+		out = append(out, key+"="+value)
+	}
+	return out
+}