gustodia.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

package main

import (
    "fmt"
    "encoding/json"
    "errors"
    "net"
    "net/http"
    "os"
    "strings"
    "syscall"
)

const PREFIX string = "CUSTODIA_"
const SECRET_PREFIX string = PREFIX + "SECRET_"
const BASE_PATH string = "http://localhost/secrets/"
const SOCKET string = "./server_socket"

type CustodiaMessage struct {
    Type string  `json:"type"`
    Value string `json:"value"`
}

type CustodiaSecret struct {
    Name string
    Value string
    Secret string
}

func unixDial(proto, addr string) (conn net.Conn, err error) {
    typ := "unix"
    conn, err = net.DialUnix(typ, nil, &net.UnixAddr{SOCKET, typ})
    return conn, err
}

func query_custodia(secrets []*CustodiaSecret) {
    tr := &http.Transport{
        Dial: unixDial,
    }
    client := &http.Client{Transport: tr}

    for _, sec := range secrets {
        path := BASE_PATH + sec.Value
        req, err := http.NewRequest(
            "GET", path, nil)
        if err != nil {
            panic(err)
        }
        req.Header.Add("REMOTE_USER", "gustodia")
        resp, err := client.Do(req)
        if err != nil {
            panic(err)
        }
        defer resp.Body.Close()

        if resp.StatusCode != http.StatusOK {
            msg := fmt.Sprintf("%s: %s", path, resp.Status)
            err := errors.New(msg)
            panic(err)
        }
        var m CustodiaMessage
        body := json.NewDecoder(resp.Body)
        body.Decode(&m)
        sec.Secret = m.Value;
    }
}

func get_custodia_envs() ([]*CustodiaSecret) {
    secrets := []*CustodiaSecret{}
    for _, env := range os.Environ() {
        if strings.HasPrefix(env, SECRET_PREFIX) {
            pair := strings.SplitN(env, "=", 2)
            sec := &CustodiaSecret{
                Name: pair[0][len(SECRET_PREFIX):],
                Value: pair[1],
                Secret: "",
            }
            secrets = append(secrets, sec)
        }
    }
    return secrets
}

func make_env(secrets []*CustodiaSecret) []string {
    environ := []string{}
    for _, env := range os.Environ() {
        if ! strings.HasPrefix(env, PREFIX) {
            environ = append(environ, env)
        }
    }
    for _, sec := range secrets {
        env := fmt.Sprintf("%s=%s", sec.Name, sec.Secret)
        environ = append(environ, env)
    }
    return environ
}

func main() {
    secrets := get_custodia_envs()
    query_custodia(secrets)
    environ := make_env(secrets)
    /*
    for _, sec := range secrets {
        fmt.Printf("%+v\n", *sec)
    }
    for _, env := range environ {
        fmt.Println(env)
    }
    */
    args := os.Args[1:]
    syscall.Exec(args[0], args, environ)
}