@reegaviljoen/eldlock 0.1.0

package/eldlock-server/internal/api/secrets.go

@@ -0,0 +1,358 @@
+package api
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"unicode"
+
+	"github.com/eldlock/eldlock-server/internal/store"
+)
+
+func (s *Service) addSecret(req Request) Response {
+	if response := s.requireInitialized(); !response.OK {
+		return response
+	}
+
+	name := strings.TrimSpace(req.Name)
+	if name == "" {
+		return failure("secret name is required")
+	}
+	if req.Type != store.SecretTypeEnv && req.Type != store.SecretTypeSSH {
+		return failure("secret type must be env or ssh")
+	}
+
+	value := req.Value
+	if req.SourcePath != "" {
+		raw, err := os.ReadFile(req.SourcePath)
+		if err != nil {
+			return failure(fmt.Sprintf("read source file: %v", err))
+		}
+		value = string(raw)
+	}
+	if value == "" {
+		return failure("secret value is required")
+	}
+
+	if err := s.putWithPIN(store.Secret{Name: name, Type: req.Type, Value: value}, req.PIN); err != nil {
+		return pinAwareFailure(fmt.Sprintf("store secret: %v", err), err)
+	}
+
+	return Response{OK: true, Message: fmt.Sprintf("stored %s secret %q", req.Type, name)}
+}
+
+func (s *Service) readSecret(ctx context.Context, req Request) Response {
+	if response := s.requireInitialized(); !response.OK {
+		return response
+	}
+
+	name := strings.TrimSpace(req.Name)
+	if name == "" {
+		return failure("secret name is required")
+	}
+	if req.Output != OutputPlain && req.Output != OutputClipboard {
+		return failure("read output must be plain or clipboard")
+	}
+
+	secret, err := s.getWithPIN(name, req.PIN)
+	if errors.Is(err, store.ErrNotFound) {
+		return failure("secret not found")
+	}
+	if err != nil {
+		return pinAwareFailure(fmt.Sprintf("read secret: %v", err), err)
+	}
+
+	switch req.Output {
+	case OutputPlain:
+		return Response{OK: true, Value: secret.Value}
+	case OutputClipboard:
+		if s.Clipboard == nil {
+			return failure("clipboard is not configured")
+		}
+		if err := s.Clipboard.Write(ctx, secret.Value); err != nil {
+			return failure(fmt.Sprintf("write clipboard: %v", err))
+		}
+		return Response{OK: true, Message: fmt.Sprintf("copied %q to clipboard", name)}
+	default:
+		return failure("read output must be plain or clipboard")
+	}
+}
+
+func (s *Service) removeSecret(req Request) Response {
+	if response := s.requireInitialized(); !response.OK {
+		return response
+	}
+
+	name := strings.TrimSpace(req.Name)
+	if name == "" {
+		return failure("secret name is required")
+	}
+
+	if err := s.deleteWithPIN(name, req.PIN); errors.Is(err, store.ErrNotFound) {
+		return failure("secret not found")
+	} else if err != nil {
+		return pinAwareFailure(fmt.Sprintf("remove secret: %v", err), err)
+	}
+
+	return Response{OK: true, Message: fmt.Sprintf("removed secret %q", name)}
+}
+
+func (s *Service) listSecrets(req Request) Response {
+	if response := s.requireInitialized(); !response.OK {
+		return response
+	}
+
+	secrets, err := s.listWithPIN(req.PIN)
+	if err != nil {
+		return pinAwareFailure(fmt.Sprintf("list secrets: %v", err), err)
+	}
+	return Response{OK: true, Secrets: secrets}
+}
+
+func (s *Service) importEnv(req Request) Response {
+	if response := s.requireInitialized(); !response.OK {
+		return response
+	}
+
+	sourcePath := strings.TrimSpace(req.SourcePath)
+	if sourcePath == "" {
+		sourcePath = ".env"
+	}
+	if !filepath.IsAbs(sourcePath) && req.CWD != "" {
+		sourcePath = filepath.Join(req.CWD, sourcePath)
+	}
+
+	raw, err := os.ReadFile(sourcePath)
+	if err != nil {
+		return failure(fmt.Sprintf("read env file: %v", err))
+	}
+	values, err := parseEnvFile(string(raw))
+	if err != nil {
+		return failure(fmt.Sprintf("parse env file: %v", err))
+	}
+	if len(values) == 0 {
+		return failure("env file did not contain any variables")
+	}
+
+	secrets := make([]store.Secret, 0, len(values))
+	for name, value := range values {
+		secrets = append(secrets, store.Secret{Name: name, Type: store.SecretTypeEnv, Value: value})
+	}
+	if err := s.putManyWithPIN(secrets, req.PIN); err != nil {
+		return pinAwareFailure(fmt.Sprintf("import env file: %v", err), err)
+	}
+
+	return Response{OK: true, Imported: len(secrets), Message: fmt.Sprintf("imported %d env secrets", len(secrets))}
+}
+
+func (s *Service) putWithPIN(secret store.Secret, pin string) error {
+	if store, ok := s.Store.(PINSecretStore); ok {
+		return store.PutWithPIN(secret, pin)
+	}
+	return s.Store.Put(secret)
+}
+
+func (s *Service) putManyWithPIN(secrets []store.Secret, pin string) error {
+	if store, ok := s.Store.(PINBulkSecretStore); ok {
+		return store.PutManyWithPIN(secrets, pin)
+	}
+	for _, secret := range secrets {
+		if err := s.putWithPIN(secret, pin); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *Service) getWithPIN(name string, pin string) (store.Secret, error) {
+	if store, ok := s.Store.(PINSecretStore); ok {
+		return store.GetWithPIN(name, pin)
+	}
+	return s.Store.Get(name)
+}
+
+func (s *Service) deleteWithPIN(name string, pin string) error {
+	if store, ok := s.Store.(PINSecretStore); ok {
+		return store.DeleteWithPIN(name, pin)
+	}
+	return s.Store.Delete(name)
+}
+
+func (s *Service) listWithPIN(pin string) ([]store.SecretSummary, error) {
+	if store, ok := s.Store.(PINSecretStore); ok {
+		return store.ListWithPIN(pin)
+	}
+	return s.Store.List()
+}
+
+func (s *Service) envWithPIN(pin string) (map[string]string, error) {
+	if store, ok := s.Store.(EnvSecretStore); ok {
+		return store.EnvWithPIN(pin)
+	}
+	secrets, err := s.Store.List()
+	if err != nil {
+		return nil, err
+	}
+	env := make(map[string]string)
+	for _, summary := range secrets {
+		if summary.Type == store.SecretTypeEnv {
+			secret, err := s.getWithPIN(summary.Name, pin)
+			if err != nil {
+				return nil, err
+			}
+			env[summary.Name] = secret.Value
+		}
+	}
+	return env, nil
+}
+
+func parseEnvFile(contents string) (map[string]string, error) {
+	out := map[string]string{}
+	for index, rawLine := range strings.Split(contents, "\n") {
+		lineNumber := index + 1
+		line := strings.TrimSpace(strings.TrimSuffix(rawLine, "\r"))
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+		if strings.HasPrefix(line, "export ") {
+			line = strings.TrimSpace(strings.TrimPrefix(line, "export "))
+		}
+		key, value, ok := strings.Cut(line, "=")
+		if !ok {
+			return nil, fmt.Errorf("line %d: expected KEY=value", lineNumber)
+		}
+		key = strings.TrimSpace(key)
+		if !validEnvKey(key) {
+			return nil, fmt.Errorf("line %d: invalid env key", lineNumber)
+		}
+		parsed, err := parseEnvValue(value)
+		if err != nil {
+			return nil, fmt.Errorf("line %d: %w", lineNumber, err)
+		}
+		out[key] = parsed
+	}
+	return out, nil
+}
+
+func parseEnvValue(value string) (string, error) {
+	value = strings.TrimSpace(value)
+	if value == "" {
+		return "", nil
+	}
+	switch value[0] {
+	case '\'':
+		return parseSingleQuotedEnv(value)
+	case '"':
+		inner, err := parseDoubleQuotedEnv(value)
+		if err != nil {
+			return "", err
+		}
+		return unescapeDoubleQuotedEnv(inner)
+	default:
+		return strings.TrimSpace(stripInlineEnvComment(value)), nil
+	}
+}
+
+func parseSingleQuotedEnv(value string) (string, error) {
+	closing := strings.IndexRune(value[1:], '\'')
+	if closing < 0 {
+		return "", errors.New("unterminated single-quoted value")
+	}
+	closing++
+	if err := validateQuotedEnvTail(value[closing+1:]); err != nil {
+		return "", err
+	}
+	return value[1:closing], nil
+}
+
+func parseDoubleQuotedEnv(value string) (string, error) {
+	escaped := false
+	for index, char := range value[1:] {
+		actualIndex := index + 1
+		if escaped {
+			escaped = false
+			continue
+		}
+		if char == '\\' {
+			escaped = true
+			continue
+		}
+		if char == '"' {
+			if err := validateQuotedEnvTail(value[actualIndex+1:]); err != nil {
+				return "", err
+			}
+			return value[1:actualIndex], nil
+		}
+	}
+	return "", errors.New("unterminated double-quoted value")
+}
+
+func validateQuotedEnvTail(tail string) error {
+	tail = strings.TrimSpace(tail)
+	if tail == "" || strings.HasPrefix(tail, "#") {
+		return nil
+	}
+	return errors.New("unexpected characters after quoted value")
+}
+
+func stripInlineEnvComment(value string) string {
+	for index, char := range value {
+		if char == '#' && (index == 0 || unicode.IsSpace(rune(value[index-1]))) {
+			return value[:index]
+		}
+	}
+	return value
+}
+
+func unescapeDoubleQuotedEnv(value string) (string, error) {
+	var builder strings.Builder
+	escaped := false
+	for _, char := range value {
+		if escaped {
+			switch char {
+			case 'n':
+				builder.WriteByte('\n')
+			case 'r':
+				builder.WriteByte('\r')
+			case 't':
+				builder.WriteByte('\t')
+			case '"', '\\', '$':
+				builder.WriteRune(char)
+			default:
+				builder.WriteRune(char)
+			}
+			escaped = false
+			continue
+		}
+		if char == '\\' {
+			escaped = true
+			continue
+		}
+		builder.WriteRune(char)
+	}
+	if escaped {
+		builder.WriteByte('\\')
+	}
+	return builder.String(), nil
+}
+
+func validEnvKey(key string) bool {
+	if key == "" {
+		return false
+	}
+	for index, char := range key {
+		if index == 0 {
+			if char != '_' && !unicode.IsLetter(char) {
+				return false
+			}
+			continue
+		}
+		if char != '_' && !unicode.IsLetter(char) && !unicode.IsDigit(char) {
+			return false
+		}
+	}
+	return true
+}

package/eldlock-server/internal/api/server.go

@@ -0,0 +1,72 @@
+package api
+
+import (
+	"bufio"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+)
+
+type Server struct {
+	SocketPath string
+	Service    *Service
+}
+
+func (s *Server) ListenAndServe(ctx context.Context) error {
+	if s.SocketPath == "" {
+		return fmt.Errorf("socket path is required")
+	}
+	if s.Service == nil {
+		return fmt.Errorf("service is required")
+	}
+	if err := os.MkdirAll(filepath.Dir(s.SocketPath), 0o700); err != nil {
+		return fmt.Errorf("create socket directory: %w", err)
+	}
+	if err := os.Remove(s.SocketPath); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove old socket: %w", err)
+	}
+
+	listener, err := net.Listen("unix", s.SocketPath)
+	if err != nil {
+		return fmt.Errorf("listen on socket: %w", err)
+	}
+	defer listener.Close()
+	defer os.Remove(s.SocketPath)
+
+	if unixListener, ok := listener.(*net.UnixListener); ok {
+		go func() {
+			<-ctx.Done()
+			_ = unixListener.Close()
+		}()
+	}
+
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			if ctx.Err() != nil {
+				return nil
+			}
+			return fmt.Errorf("accept connection: %w", err)
+		}
+		go s.handleConn(ctx, conn)
+	}
+}
+
+func (s *Server) handleConn(ctx context.Context, conn net.Conn) {
+	defer conn.Close()
+
+	scanner := bufio.NewScanner(conn)
+	scanner.Buffer(make([]byte, 0, 64*1024), 1024*1024)
+	encoder := json.NewEncoder(conn)
+	for scanner.Scan() {
+		var req Request
+		if err := json.Unmarshal(scanner.Bytes(), &req); err != nil {
+			_ = encoder.Encode(failure("invalid request json"))
+			continue
+		}
+		_ = encoder.Encode(s.Service.Handle(ctx, req))
+	}
+}