@reegaviljoen/eldlock 0.1.0

package/eldlock-server/internal/api/service_test.go

@@ -0,0 +1,416 @@
+package api
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/eldlock/eldlock-server/internal/store"
+	"github.com/eldlock/eldlock-server/internal/yubikey"
+)
+
+func TestServiceAddAndReadPlain(t *testing.T) {
+	service := NewService(newMemoryStore())
+
+	init := service.Handle(context.Background(), Request{Action: ActionInit})
+	if !init.OK {
+		t.Fatalf("init OK = false, error = %q", init.Error)
+	}
+
+	add := service.Handle(context.Background(), Request{
+		Action: ActionAddSecret,
+		Name:   "project/API_KEY",
+		Type:   store.SecretTypeEnv,
+		Value:  "secret-value",
+	})
+	if !add.OK {
+		t.Fatalf("add OK = false, error = %q", add.Error)
+	}
+
+	read := service.Handle(context.Background(), Request{
+		Action: ActionReadSecret,
+		Name:   "project/API_KEY",
+		Output: OutputPlain,
+	})
+	if !read.OK {
+		t.Fatalf("read OK = false, error = %q", read.Error)
+	}
+	if read.Value != "secret-value" {
+		t.Fatalf("read Value = %q, want secret value", read.Value)
+	}
+}
+
+func TestServiceReadClipboardStaysServerSide(t *testing.T) {
+	clipboard := &memoryClipboard{}
+	service := NewService(newMemoryStore())
+	service.Clipboard = clipboard
+
+	service.Handle(context.Background(), Request{Action: ActionInit})
+	service.Handle(context.Background(), Request{
+		Action: ActionAddSecret,
+		Name:   "ssh/personal",
+		Type:   store.SecretTypeSSH,
+		Value:  "private-key",
+	})
+
+	read := service.Handle(context.Background(), Request{
+		Action: ActionReadSecret,
+		Name:   "ssh/personal",
+		Output: OutputClipboard,
+	})
+	if !read.OK {
+		t.Fatalf("read OK = false, error = %q", read.Error)
+	}
+	if read.Value != "" {
+		t.Fatalf("clipboard response leaked value %q", read.Value)
+	}
+	if clipboard.value != "private-key" {
+		t.Fatalf("clipboard value = %q, want private key", clipboard.value)
+	}
+}
+
+func TestServiceRequiresInit(t *testing.T) {
+	service := NewService(newMemoryStore())
+
+	add := service.Handle(context.Background(), Request{
+		Action: ActionAddSecret,
+		Name:   "project/API_KEY",
+		Type:   store.SecretTypeEnv,
+		Value:  "secret-value",
+	})
+	if add.OK {
+		t.Fatalf("add OK = true before init")
+	}
+}
+
+func TestServiceReturnsPINRequiredCode(t *testing.T) {
+	memory := newMemoryStore()
+	memory.initErr = yubikey.ErrPINRequired
+	service := NewService(memory)
+
+	response := service.Handle(context.Background(), Request{Action: ActionInit})
+	if response.OK {
+		t.Fatalf("init OK = true")
+	}
+	if response.Code != "pin_required" {
+		t.Fatalf("init Code = %q, want pin_required; error = %q", response.Code, response.Error)
+	}
+}
+
+func TestServiceRemoveSecret(t *testing.T) {
+	service := NewService(newMemoryStore())
+
+	service.Handle(context.Background(), Request{Action: ActionInit})
+	service.Handle(context.Background(), Request{
+		Action: ActionAddSecret,
+		Name:   "project/API_KEY",
+		Type:   store.SecretTypeEnv,
+		Value:  "secret-value",
+	})
+
+	remove := service.Handle(context.Background(), Request{
+		Action: ActionRemoveSecret,
+		Name:   "project/API_KEY",
+	})
+	if !remove.OK {
+		t.Fatalf("remove OK = false, error = %q", remove.Error)
+	}
+
+	read := service.Handle(context.Background(), Request{
+		Action: ActionReadSecret,
+		Name:   "project/API_KEY",
+		Output: OutputPlain,
+	})
+	if read.OK {
+		t.Fatalf("read OK = true after remove")
+	}
+}
+
+func TestServiceExecInjectsEnvSecrets(t *testing.T) {
+	service := NewService(newMemoryStore())
+
+	service.Handle(context.Background(), Request{Action: ActionInit})
+	service.Handle(context.Background(), Request{
+		Action: ActionAddSecret,
+		Name:   "BG_TEST",
+		Type:   store.SecretTypeEnv,
+		Value:  "from-eldlock",
+	})
+
+	exec := service.Handle(context.Background(), Request{
+		Action:  ActionExec,
+		Command: []string{"/bin/sh", "-c", "printf %s \"$BG_TEST\""},
+		Env:     map[string]string{"BG_TEST": "from-client"},
+	})
+	if !exec.OK {
+		t.Fatalf("exec OK = false, error = %q", exec.Error)
+	}
+	if exec.Stdout != "from-eldlock" {
+		t.Fatalf("exec Stdout = %q, want injected secret", exec.Stdout)
+	}
+	if exec.ExitCode != 0 {
+		t.Fatalf("exec ExitCode = %d, want 0", exec.ExitCode)
+	}
+}
+
+func TestServiceExecShellCommandExpandsInjectedEnvSecrets(t *testing.T) {
+	service := NewService(newMemoryStore())
+
+	service.Handle(context.Background(), Request{Action: ActionInit})
+	service.Handle(context.Background(), Request{
+		Action: ActionAddSecret,
+		Name:   "BG_TEST",
+		Type:   store.SecretTypeEnv,
+		Value:  "from-eldlock",
+	})
+
+	exec := service.Handle(context.Background(), Request{
+		Action:       ActionExec,
+		Shell:        "/bin/sh",
+		ShellCommand: "printf %s \"$BG_TEST\"",
+		Env:          map[string]string{"BG_TEST": "from-client"},
+	})
+	if !exec.OK {
+		t.Fatalf("exec OK = false, error = %q", exec.Error)
+	}
+	if exec.Stdout != "from-eldlock" {
+		t.Fatalf("exec Stdout = %q, want injected secret", exec.Stdout)
+	}
+	if exec.ExitCode != 0 {
+		t.Fatalf("exec ExitCode = %d, want 0", exec.ExitCode)
+	}
+}
+
+func TestServiceInteractiveExecReturnsEnvSecretsForClientShell(t *testing.T) {
+	service := NewService(newMemoryStore())
+
+	service.Handle(context.Background(), Request{Action: ActionInit})
+	service.Handle(context.Background(), Request{
+		Action: ActionAddSecret,
+		Name:   "BG_TEST",
+		Type:   store.SecretTypeEnv,
+		Value:  "from-eldlock",
+	})
+
+	exec := service.Handle(context.Background(), Request{
+		Action:      ActionExec,
+		Interactive: true,
+	})
+	if !exec.OK {
+		t.Fatalf("exec OK = false, error = %q", exec.Error)
+	}
+	if exec.Env["BG_TEST"] != "from-eldlock" {
+		t.Fatalf("exec Env[BG_TEST] = %q, want injected secret", exec.Env["BG_TEST"])
+	}
+	if exec.Stdout != "" || exec.Stderr != "" {
+		t.Fatalf("interactive exec should not return captured output")
+	}
+}
+
+func TestServiceExecReturnsChildExitCode(t *testing.T) {
+	service := NewService(newMemoryStore())
+
+	service.Handle(context.Background(), Request{Action: ActionInit})
+	exec := service.Handle(context.Background(), Request{
+		Action:  ActionExec,
+		Command: []string{"/bin/sh", "-c", "printf problem >&2; exit 7"},
+	})
+	if !exec.OK {
+		t.Fatalf("exec OK = false, error = %q", exec.Error)
+	}
+	if exec.Stderr != "problem" {
+		t.Fatalf("exec Stderr = %q, want problem", exec.Stderr)
+	}
+	if exec.ExitCode != 7 {
+		t.Fatalf("exec ExitCode = %d, want 7", exec.ExitCode)
+	}
+}
+
+func TestServiceImportEnvFile(t *testing.T) {
+	service := NewService(newMemoryStore())
+	service.Handle(context.Background(), Request{Action: ActionInit})
+
+	dir := t.TempDir()
+	envPath := filepath.Join(dir, ".env")
+	if err := os.WriteFile(envPath, []byte(`
+# ignored
+API_KEY=secret-value
+export QUOTED="hello\nworld"
+SINGLE='literal value'
+TRAILING=visible # hidden comment
+EMPTY=
+`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	response := service.Handle(context.Background(), Request{
+		Action:     ActionImportEnv,
+		SourcePath: ".env",
+		CWD:        dir,
+	})
+	if !response.OK {
+		t.Fatalf("import OK = false, error = %q", response.Error)
+	}
+	if response.Imported != 5 {
+		t.Fatalf("import Imported = %d, want 5", response.Imported)
+	}
+	if response.Value != "" {
+		t.Fatalf("import leaked value %q", response.Value)
+	}
+
+	read := service.Handle(context.Background(), Request{Action: ActionReadSecret, Name: "QUOTED", Output: OutputPlain})
+	if read.Value != "hello\nworld" {
+		t.Fatalf("quoted value = %q", read.Value)
+	}
+	trailing := service.Handle(context.Background(), Request{Action: ActionReadSecret, Name: "TRAILING", Output: OutputPlain})
+	if trailing.Value != "visible" {
+		t.Fatalf("trailing value = %q", trailing.Value)
+	}
+}
+
+func TestServiceImportEnvFileRejectsInvalidLine(t *testing.T) {
+	service := NewService(newMemoryStore())
+	service.Handle(context.Background(), Request{Action: ActionInit})
+
+	dir := t.TempDir()
+	if err := os.WriteFile(filepath.Join(dir, ".env"), []byte("not-valid\n"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	response := service.Handle(context.Background(), Request{
+		Action:     ActionImportEnv,
+		SourcePath: ".env",
+		CWD:        dir,
+	})
+	if response.OK {
+		t.Fatalf("import OK = true")
+	}
+	if response.Error == "" {
+		t.Fatalf("import error was empty")
+	}
+}
+
+func TestServiceRoutesRequestsByVault(t *testing.T) {
+	resolver := newMemoryStoreResolver()
+	service := NewService(nil)
+	service.StoreResolver = resolver
+
+	initDefault := service.Handle(context.Background(), Request{Action: ActionInit})
+	if !initDefault.OK {
+		t.Fatalf("default init OK = false, error = %q", initDefault.Error)
+	}
+	initWork := service.Handle(context.Background(), Request{Action: ActionInit, Vault: "work"})
+	if !initWork.OK {
+		t.Fatalf("work init OK = false, error = %q", initWork.Error)
+	}
+
+	service.Handle(context.Background(), Request{
+		Action: ActionAddSecret,
+		Name:   "BG_TEST",
+		Type:   store.SecretTypeEnv,
+		Value:  "default-value",
+	})
+	service.Handle(context.Background(), Request{
+		Action: ActionAddSecret,
+		Vault:  "work",
+		Name:   "BG_TEST",
+		Type:   store.SecretTypeEnv,
+		Value:  "work-value",
+	})
+
+	readDefault := service.Handle(context.Background(), Request{Action: ActionReadSecret, Name: "BG_TEST", Output: OutputPlain})
+	if readDefault.Value != "default-value" {
+		t.Fatalf("default vault value = %q, want default-value", readDefault.Value)
+	}
+	readWork := service.Handle(context.Background(), Request{Action: ActionReadSecret, Vault: "work", Name: "BG_TEST", Output: OutputPlain})
+	if readWork.Value != "work-value" {
+		t.Fatalf("work vault value = %q, want work-value", readWork.Value)
+	}
+}
+
+func TestFileStoreResolverRejectsInvalidVaultName(t *testing.T) {
+	_, err := NormalizeVaultName("../nope")
+	if err == nil {
+		t.Fatalf("NormalizeVaultName() error = nil")
+	}
+}
+
+type memoryStore struct {
+	initialized bool
+	secrets     map[string]store.Secret
+	initErr     error
+}
+
+type memoryStoreResolver struct {
+	stores map[string]*memoryStore
+}
+
+func newMemoryStoreResolver() *memoryStoreResolver {
+	return &memoryStoreResolver{stores: map[string]*memoryStore{}}
+}
+
+func (r *memoryStoreResolver) StoreForVault(name string) (SecretStore, error) {
+	name, err := NormalizeVaultName(name)
+	if err != nil {
+		return nil, err
+	}
+	if r.stores[name] == nil {
+		r.stores[name] = newMemoryStore()
+	}
+	return r.stores[name], nil
+}
+
+func newMemoryStore() *memoryStore {
+	return &memoryStore{secrets: map[string]store.Secret{}}
+}
+
+func (m *memoryStore) Init() error {
+	if m.initErr != nil {
+		return m.initErr
+	}
+	m.initialized = true
+	return nil
+}
+
+func (m *memoryStore) IsInitialized() (bool, error) {
+	return m.initialized, nil
+}
+
+func (m *memoryStore) Put(secret store.Secret) error {
+	m.secrets[secret.Name] = secret
+	return nil
+}
+
+func (m *memoryStore) Get(name string) (store.Secret, error) {
+	secret, ok := m.secrets[name]
+	if !ok {
+		return store.Secret{}, store.ErrNotFound
+	}
+	return secret, nil
+}
+
+func (m *memoryStore) Delete(name string) error {
+	if _, ok := m.secrets[name]; !ok {
+		return store.ErrNotFound
+	}
+	delete(m.secrets, name)
+	return nil
+}
+
+func (m *memoryStore) List() ([]store.SecretSummary, error) {
+	summaries := make([]store.SecretSummary, 0, len(m.secrets))
+	for _, secret := range m.secrets {
+		summaries = append(summaries, store.SecretSummary{Name: secret.Name, Type: secret.Type})
+	}
+	return summaries, nil
+}
+
+type memoryClipboard struct {
+	value string
+}
+
+func (m *memoryClipboard) Write(_ context.Context, value string) error {
+	m.value = value
+	return nil
+}

package/eldlock-server/internal/api/types.go

@@ -0,0 +1,48 @@
+package api
+
+import "github.com/eldlock/eldlock-server/internal/store"
+
+type Request struct {
+	Action       string            `json:"action"`
+	Vault        string            `json:"vault,omitempty"`
+	Name         string            `json:"name,omitempty"`
+	Type         store.SecretType  `json:"type,omitempty"`
+	Value        string            `json:"value,omitempty"`
+	SourcePath   string            `json:"source_path,omitempty"`
+	Output       string            `json:"output,omitempty"`
+	PIN          string            `json:"pin,omitempty"`
+	Command      []string          `json:"command,omitempty"`
+	Shell        string            `json:"shell,omitempty"`
+	ShellCommand string            `json:"shell_command,omitempty"`
+	Interactive  bool              `json:"interactive,omitempty"`
+	CWD          string            `json:"cwd,omitempty"`
+	Env          map[string]string `json:"env,omitempty"`
+}
+
+type Response struct {
+	OK       bool                  `json:"ok"`
+	Message  string                `json:"message,omitempty"`
+	Value    string                `json:"value,omitempty"`
+	Stdout   string                `json:"stdout,omitempty"`
+	Stderr   string                `json:"stderr,omitempty"`
+	ExitCode int                   `json:"exit_code,omitempty"`
+	Imported int                   `json:"imported,omitempty"`
+	Env      map[string]string     `json:"env,omitempty"`
+	Secrets  []store.SecretSummary `json:"secrets,omitempty"`
+	Error    string                `json:"error,omitempty"`
+	Code     string                `json:"code,omitempty"`
+}
+
+const (
+	ActionHealth       = "health"
+	ActionInit         = "init"
+	ActionAddSecret    = "secret.add"
+	ActionReadSecret   = "secret.read"
+	ActionRemoveSecret = "secret.remove"
+	ActionListSecrets  = "secret.list"
+	ActionImportEnv    = "secret.import_env"
+	ActionExec         = "exec"
+
+	OutputPlain     = "plain"
+	OutputClipboard = "clipboard"
+)

package/eldlock-server/internal/api/vault.go

@@ -0,0 +1,69 @@
+package api
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+	"unicode"
+
+	"github.com/eldlock/eldlock-server/internal/store"
+)
+
+const DefaultVaultName = "default"
+
+type FileStoreResolver struct {
+	StateDir    string
+	KeyProvider store.KeyProvider
+}
+
+func (r FileStoreResolver) StoreForVault(name string) (SecretStore, error) {
+	vaultName, err := NormalizeVaultName(name)
+	if err != nil {
+		return nil, err
+	}
+	if r.StateDir == "" {
+		return nil, fmt.Errorf("state dir is required")
+	}
+	if r.KeyProvider == nil {
+		return nil, fmt.Errorf("passkey provider is not configured")
+	}
+	return store.NewFileStore(r.PathForVault(vaultName), r.KeyProvider), nil
+}
+
+func (r FileStoreResolver) PathForVault(name string) string {
+	if name == DefaultVaultName {
+		return filepath.Join(r.StateDir, "vault.json")
+	}
+	return filepath.Join(r.StateDir, "vaults", name+".json")
+}
+
+func NormalizeVaultName(name string) (string, error) {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return DefaultVaultName, nil
+	}
+	for _, char := range name {
+		if unicode.IsLetter(char) || unicode.IsDigit(char) || char == '-' || char == '_' || char == '.' {
+			continue
+		}
+		return "", fmt.Errorf("vault name %q is invalid; use letters, numbers, '.', '-', or '_'", name)
+	}
+	if name == "." || name == ".." {
+		return "", fmt.Errorf("vault name %q is invalid", name)
+	}
+	return name, nil
+}
+
+func (s *Service) initVault(req Request) Response {
+	if err := s.initWithPIN(req.PIN); err != nil {
+		return pinAwareFailure(fmt.Sprintf("initialize vault: %v", err), err)
+	}
+	return Response{OK: true, Message: "initialized Eldlock vault"}
+}
+
+func (s *Service) initWithPIN(pin string) error {
+	if store, ok := s.Store.(PINSecretStore); ok {
+		return store.InitWithPIN(pin)
+	}
+	return s.Store.Init()
+}

package/eldlock-server/internal/api/vendor.go

@@ -0,0 +1,44 @@
+package api
+
+import (
+	"context"
+	"errors"
+	"os/exec"
+	"runtime"
+)
+
+type LocalClipboard struct{}
+
+func (LocalClipboard) Write(ctx context.Context, value string) error {
+	var cmd *exec.Cmd
+	switch runtime.GOOS {
+	case "darwin":
+		cmd = exec.CommandContext(ctx, "pbcopy")
+	default:
+		if path, err := exec.LookPath("wl-copy"); err == nil {
+			cmd = exec.CommandContext(ctx, path)
+		} else if path, err := exec.LookPath("xclip"); err == nil {
+			cmd = exec.CommandContext(ctx, path, "-selection", "clipboard")
+		} else {
+			return errors.New("no supported clipboard command found")
+		}
+	}
+
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return err
+	}
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	if _, err := stdin.Write([]byte(value)); err != nil {
+		_ = stdin.Close()
+		_ = cmd.Wait()
+		return err
+	}
+	if err := stdin.Close(); err != nil {
+		_ = cmd.Wait()
+		return err
+	}
+	return cmd.Wait()
+}

package/eldlock-server/internal/libfido2/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+​
+Copyright (c) 2019 Gabriel Handford
+​
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+​
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+​
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.