Merge pull request #46 from gregdhill/conf-fixups

Sean Young · web-flow · commit 6a3397a5b1b3 · 2019-02-25T16:33:32.000Z
fixup config, secrets and add granting example
diff --git a/cmd/hoarctl/encryption.go b/cmd/hoarctl/encryption.go
@@ -13,16 +13,16 @@ import (
 
 // Decrypt does what it says on the tin
 func (client *Client) Decrypt(cmd *cli.Cmd) {
-	secretKey := addOpt(cmd, "key", secretOpt, "").(*string)
-	salt := addOpt(cmd, "salt", saltOpt, "").(*string)
+	secretKey := addStringOpt(cmd, "key", secretOpt)
+	salt := addStringOpt(cmd, "salt", saltOpt)
 
 	cmd.Action = func() {
 		encryptedData := readData()
 		plaintext, err := client.encryption.Decrypt(context.Background(),
 			&hoard.ReferenceAndCiphertext{
 				Reference: &reference.Ref{
-					SecretKey: readBase64(*secretKey),
-					Salt:      parseSalt(*salt),
+					SecretKey: readBase64(secretKey),
+					Salt:      parseSalt(salt),
 				},
 				Ciphertext: &hoard.Ciphertext{
 					EncryptedData: encryptedData,
@@ -37,7 +37,7 @@ func (client *Client) Decrypt(cmd *cli.Cmd) {
 
 // Encrypt also does what it says on the tin
 func (client *Client) Encrypt(cmd *cli.Cmd) {
-	salt := addOpt(cmd, "salt", saltOpt, "").(*string)
+	salt := addStringOpt(cmd, "salt", saltOpt)
 
 	cmd.Action = func() {
 		data, err := ioutil.ReadAll(os.Stdin)
@@ -47,7 +47,7 @@ func (client *Client) Encrypt(cmd *cli.Cmd) {
 		refAndCiphertext, err := client.encryption.Encrypt(context.Background(),
 			&hoard.Plaintext{
 				Data: data,
-				Salt: parseSalt(*salt),
+				Salt: parseSalt(salt),
 			})
 		if err != nil {
 			fatalf("Error encrypting: %v", err)
@@ -58,14 +58,14 @@ func (client *Client) Encrypt(cmd *cli.Cmd) {
 
 // Ref encrypts as above, but then packages the data in a ref
 func (client *Client) Ref(cmd *cli.Cmd) {
-	salt := addOpt(cmd, "salt", saltOpt, "").(*string)
+	salt := addStringOpt(cmd, "salt", saltOpt)
 
 	cmd.Action = func() {
 		data := readData()
 		refAndCiphertext, err := client.encryption.Encrypt(context.Background(),
 			&hoard.Plaintext{
 				Data: data,
-				Salt: parseSalt(*salt),
+				Salt: parseSalt(salt),
 			})
 		if err != nil {
 			fatalf("Error generating reference: %v", err)
diff --git a/cmd/hoarctl/grants.go b/cmd/hoarctl/grants.go
@@ -12,19 +12,18 @@ import (
 
 // PutSeal encrypts and stores data then prints a grant
 func (client *Client) PutSeal(cmd *cli.Cmd) {
-	salt := addOpt(cmd, "salt", saltOpt, "").(*string)
-	key := addOpt(cmd, "key", saltOpt, "").(*string)
+	salt := addStringOpt(cmd, "salt", saltOpt)
+	key := addStringOpt(cmd, "key", keyOpt)
 
 	cmd.Action = func() {
-
 		var seal *grant.Grant
 		var err error
 
 		spec := grant.Spec{Plaintext: &grant.PlaintextSpec{}}
-		if key != nil {
+		if *key != "" {
 			spec = grant.Spec{
 				Plaintext: nil,
-				Symmetric: &grant.SymmetricSpec{SecretID: string(parseSalt(*key))},
+				Symmetric: &grant.SymmetricSpec{SecretID: *key},
 			}
 		}
 
@@ -33,7 +32,7 @@ func (client *Client) PutSeal(cmd *cli.Cmd) {
 			&hoard.PlaintextAndGrantSpec{
 				Plaintext: &hoard.Plaintext{
 					Data: data,
-					Salt: parseSalt(*salt),
+					Salt: parseSalt(salt),
 				},
 				GrantSpec: &spec,
 			},
@@ -48,15 +47,15 @@ func (client *Client) PutSeal(cmd *cli.Cmd) {
 
 // Seal reads encrypted data then prints a grant
 func (client *Client) Seal(cmd *cli.Cmd) {
-	address := addOpt(cmd, "address", addrOpt, "").(*string)
-	key := addOpt(cmd, "key", saltOpt, "").(*string)
+	address := addStringOpt(cmd, "address", addrOpt)
+	key := addStringOpt(cmd, "key", keyOpt)
 
 	cmd.Action = func() {
 		spec := grant.Spec{Plaintext: &grant.PlaintextSpec{}}
-		if key != nil {
+		if *key != "" {
 			spec = grant.Spec{
 				Plaintext: nil,
-				Symmetric: &grant.SymmetricSpec{SecretID: string(parseSalt(*key))},
+				Symmetric: &grant.SymmetricSpec{SecretID: *key},
 			}
 		}
 
@@ -77,16 +76,16 @@ func (client *Client) Seal(cmd *cli.Cmd) {
 
 // Reseal reads a grant then prints a new grant
 func (client *Client) Reseal(cmd *cli.Cmd) {
-	salt := addOpt(cmd, "salt", saltOpt, "").(*string)
+	key := addStringOpt(cmd, "key", keyOpt)
 
 	cmd.Action = func() {
 		prev := readGrant()
 		next := grant.Spec{Plaintext: &grant.PlaintextSpec{}}
 
-		if salt != nil {
+		if *key != "" {
 			next = grant.Spec{
 				Plaintext: nil,
-				Symmetric: &grant.SymmetricSpec{SecretID: string(parseSalt(*salt))},
+				Symmetric: &grant.SymmetricSpec{SecretID: *key},
 			}
 		}
 
diff --git a/cmd/hoarctl/main.go b/cmd/hoarctl/main.go
@@ -21,7 +21,8 @@ import (
 )
 
 const (
-	addrOpt string = "The address of the data to retrieve as base64-encoded string"
+	addrOpt string = "The address of the data to retrieve as base64-encoded string."
+	keyOpt  string = "The ID of the symmetric secret to use."
 	saltOpt string = "Token to use for encryption and decryption. " +
 		"Will be parsed as base64 encoded string if this is possible, " +
 		"otherwise will be interpreted as the bytes of the string itself."
@@ -92,26 +93,21 @@ func main() {
 }
 
 // extra cli options
-func addOpt(cmd *cli.Cmd, arg, desc string, def interface{}) (opt interface{}) {
-	switch d := def.(type) {
-	case string:
-		opt = cmd.StringOpt(fmt.Sprintf("%s %s", string(arg[0]), arg), d, desc)
-	case bool:
-		opt = cmd.BoolOpt(fmt.Sprintf("%s %s", string(arg[0]), arg), d, desc)
-	}
+func addStringOpt(cmd *cli.Cmd, arg, desc string) *string {
+	opt := cmd.StringOpt(fmt.Sprintf("%s %s", string(arg[0]), arg), "", desc)
 	cmd.Spec += fmt.Sprintf("[-%s | --%s]", string(arg[0]), arg)
 	return opt
 }
 
-func parseSalt(saltString string) []byte {
-	if saltString == "" {
+func parseSalt(saltString *string) []byte {
+	if saltString == nil {
 		return nil
 	}
-	saltBytes, err := base64.StdEncoding.DecodeString(saltString)
+	saltBytes, err := base64.StdEncoding.DecodeString(*saltString)
 	if err == nil {
 		return saltBytes
 	}
-	return ([]byte)(saltString)
+	return ([]byte)(*saltString)
 }
 
 func jsonString(v interface{}) string {
@@ -134,7 +130,7 @@ func readData() []byte {
 func readReference(address *string) *reference.Ref {
 	ref := new(reference.Ref)
 	if address != nil && *address != "" {
-		ref.Address = readBase64(*address)
+		ref.Address = readBase64(address)
 		return ref
 	}
 	err := parseObject(os.Stdin, ref)
@@ -165,8 +161,11 @@ func parseObject(r io.Reader, o interface{}) error {
 	return nil
 }
 
-func readBase64(base64String string) []byte {
-	secretKeyBytes, err := base64.StdEncoding.DecodeString(base64String)
+func readBase64(base64String *string) []byte {
+	if base64String == nil {
+		return nil
+	}
+	secretKeyBytes, err := base64.StdEncoding.DecodeString(*base64String)
 	if err != nil {
 		fatalf("Could not decode '%s' as base64-encoded string", base64String)
 	}
diff --git a/cmd/hoarctl/store.go b/cmd/hoarctl/store.go
@@ -12,7 +12,7 @@ import (
 
 // Cat retrieves encrypted data from store
 func (client *Client) Cat(cmd *cli.Cmd) {
-	address := addOpt(cmd, "address", addrOpt, "").(*string)
+	address := addStringOpt(cmd, "address", addrOpt)
 
 	cmd.Action = func() {
 		ref := readReference(address)
@@ -27,9 +27,9 @@ func (client *Client) Cat(cmd *cli.Cmd) {
 
 // Get retrieves and decrypts data from store
 func (client *Client) Get(cmd *cli.Cmd) {
-	address := addOpt(cmd, "address", addrOpt, "").(*string)
-	secretKey := addOpt(cmd, "key", secretOpt, "").(*string)
-	salt := addOpt(cmd, "salt", saltOpt, "").(*string)
+	address := addStringOpt(cmd, "address", addrOpt)
+	secretKey := addStringOpt(cmd, "key", secretOpt)
+	salt := addStringOpt(cmd, "salt", saltOpt)
 
 	cmd.Action = func() {
 		// If given address then try to read reference from arguments and option
@@ -39,9 +39,9 @@ func (client *Client) Get(cmd *cli.Cmd) {
 				fatalf("A secret key must be provided in order to decrypt")
 			}
 			ref = &reference.Ref{
-				Address:   readBase64(*address),
-				SecretKey: readBase64(*secretKey),
-				Salt:      parseSalt(*salt),
+				Address:   readBase64(address),
+				SecretKey: readBase64(secretKey),
+				Salt:      parseSalt(salt),
 			}
 		}
 		plaintext, err := client.cleartext.Get(context.Background(), ref)
@@ -68,14 +68,14 @@ func (client *Client) Insert(cmd *cli.Cmd) {
 
 // Put encrypts data and stores it
 func (client *Client) Put(cmd *cli.Cmd) {
-	salt := addOpt(cmd, "salt", saltOpt, "").(*string)
+	salt := addStringOpt(cmd, "salt", saltOpt)
 
 	cmd.Action = func() {
 		data := readData()
 		ref, err := client.cleartext.Put(context.Background(),
 			&hoard.Plaintext{
 				Data: data,
-				Salt: parseSalt(*salt),
+				Salt: parseSalt(salt),
 			})
 		if err != nil {
 			fatalf("Error storing data: %v", err)
@@ -86,7 +86,7 @@ func (client *Client) Put(cmd *cli.Cmd) {
 
 // Stat retrieves info about the stored data
 func (client *Client) Stat(cmd *cli.Cmd) {
-	address := addOpt(cmd, "address", addrOpt, "").(*string)
+	address := addStringOpt(cmd, "address", addrOpt)
 
 	cmd.Action = func() {
 		ref := readReference(address)
diff --git a/cmd/hoard/main.go b/cmd/hoard/main.go
@@ -69,7 +69,6 @@ func main() {
 		if *listenAddressOpt != "" {
 			conf.ListenAddress = *listenAddressOpt
 		}
-
 		symmetricProvider := secrets.ProviderFromConfig(conf.Secrets)
 		openPGPConf := secrets.OpenPGPFromConfig(conf.Secrets)
 		sm := secrets.Manager{Provider: symmetricProvider, OpenPGP: openPGPConf}
diff --git a/config/logging/logging.go b/config/logging/logging.go
@@ -21,9 +21,10 @@ const (
 	Json   LoggingType = "json"
 )
 
+// LoggingConfig describes the channels to listen on,
+// messages not on these channels will be filtered
+// and leaving empty disables logging
 type LoggingConfig struct {
-	// Channels to listen on, messages not on these channels will be filtered
-	// leaving empty disables logging
 	LoggingType LoggingType
 	Channels    []structure.Channel
 }
diff --git a/config/secrets/secrets.go b/config/secrets/secrets.go
@@ -1,10 +1,15 @@
 package secrets
 
-import "io/ioutil"
+import (
+	"io/ioutil"
+)
 
+// SecretsConfig lists the configured secrets,
+// Symmetric secrets are those local to the running daemon
+// and OpenPGP identifies an entity in the given keyring
 type SecretsConfig struct {
-	Secrets []SymmetricSecret
-	OpenPGP *OpenPGPSecret
+	Symmetric []SymmetricSecret
+	OpenPGP   OpenPGPSecret
 }
 
 type SymmetricSecret struct {
@@ -13,48 +18,52 @@ type SymmetricSecret struct {
 }
 
 type OpenPGPSecret struct {
-	ID   uint64
+	ID   string
 	File string
 	Data []byte
 }
 
-type SymmetricProvider func(secretID string) []byte
-
 type Manager struct {
 	Provider SymmetricProvider
 	OpenPGP  *OpenPGPSecret
 }
 
-func NoopSymmetricProvider(_ string) []byte {
-	return nil
-}
+type SymmetricProvider func(secretID string) []byte
 
+// NoopSecretManager is an empty secret manager
 var NoopSecretManager = Manager{
 	Provider: NoopSymmetricProvider,
 	OpenPGP:  nil,
 }
 
+// NoopSymmetricProvider returns an empty provider
+func NoopSymmetricProvider(_ string) []byte {
+	return nil
+}
+
+// ProviderFromConfig creates a secret reader from a set of symmetric secrets
 func ProviderFromConfig(conf *SecretsConfig) SymmetricProvider {
-	if conf == nil {
+	if conf == nil || len(conf.Symmetric) == 0 {
 		return NoopSymmetricProvider
 	}
-	secs := make(map[string][]byte, len(conf.Secrets))
-	for _, s := range conf.Secrets {
+	secs := make(map[string][]byte, len(conf.Symmetric))
+	for _, s := range conf.Symmetric {
 		secs[s.ID] = []byte(s.Passphrase)
 	}
 	return func(id string) []byte {
 		return secs[id]
 	}
 }
 
+// OpenPGPFromConfig reads a given PGP keyring
 func OpenPGPFromConfig(conf *SecretsConfig) *OpenPGPSecret {
-	if conf == nil {
+	if conf == nil || conf.OpenPGP.File == "" {
 		return nil
 	}
 	keyRing, err := ioutil.ReadFile(conf.OpenPGP.File)
 	if err != nil {
 		return nil
 	}
 	conf.OpenPGP.Data = keyRing
-	return conf.OpenPGP
+	return &conf.OpenPGP
 }
diff --git a/config/storage/storage.go b/config/storage/storage.go
@@ -28,6 +28,7 @@ const (
 	IPFS        StorageType = "ipfs"
 )
 
+// StorageConfig identifies the configured back-end
 type StorageConfig struct {
 	// Acts a string enum
 	StorageType StorageType
diff --git a/docs/design/examples.md b/docs/design/examples.md
@@ -0,0 +1,25 @@
+# Examples
+
+To configure hoard with a fully-functioning secret back-end use the following example config:
+
+```toml
+ListenAddress = "tcp://:53431"
+
+[Storage]
+  StorageType = "memory"
+  AddressEncoding = "base64"
+
+[Logging]
+  LoggingType = "json"
+  Channels = ["info", "trace"]
+
+[Secrets.OpenPGP]
+  ID = "10449759736975846181"
+  File = "${HOME}/go/src/github.com/monax/hoard/grant/private.key.asc"
+
+[[Secrets.Symmetric]]
+  ID = "test"
+  Passphrase = "test"
+```
+
+Remember to change the provided values before deploying to production.
diff --git a/docs/design/grants.md b/docs/design/grants.md
diff --git a/grant/grant_test.go b/grant/grant_test.go
diff --git a/grant/openpgp.go b/grant/openpgp.go
diff --git a/grant/openpgp_test.go b/grant/openpgp_test.go

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,6 @@ func main() {`
`69`	`69`	`if *listenAddressOpt != "" {`
`70`	`70`	`conf.ListenAddress = *listenAddressOpt`
`71`	`71`	`}`
`72`		`-`
`73`	`72`	`symmetricProvider := secrets.ProviderFromConfig(conf.Secrets)`
`74`	`73`	`openPGPConf := secrets.OpenPGPFromConfig(conf.Secrets)`
`75`	`74`	`sm := secrets.Manager{Provider: symmetricProvider, OpenPGP: openPGPConf}`
Original file line number	Diff line number	Diff line change
`@@ -21,9 +21,10 @@ const (`
`21`	`21`	`Json LoggingType = "json"`
`22`	`22`	`)`
`23`	`23`
	`24`	`+// LoggingConfig describes the channels to listen on,`
	`25`	`+// messages not on these channels will be filtered`
	`26`	`+// and leaving empty disables logging`
`24`	`27`	`type LoggingConfig struct {`
`25`		`- // Channels to listen on, messages not on these channels will be filtered`
`26`		`- // leaving empty disables logging`
`27`	`28`	`LoggingType LoggingType`
`28`	`29`	`Channels []structure.Channel`
`29`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ const (`
`28`	`28`	`IPFS StorageType = "ipfs"`
`29`	`29`	`)`
`30`	`30`
	`31`	`+// StorageConfig identifies the configured back-end`
`31`	`32`	`type StorageConfig struct {`
`32`	`33`	`// Acts a string enum`
`33`	`34`	`StorageType StorageType`