Introduces the confidant CLI

Introduces a CLI around the confidant library so that we can conveniently encrypt/decrypt streams of base64 values.

Author: huntc

Cargo.toml

@@ -4,6 +4,7 @@ resolver = "2"
 members = [
     "streambed",
     "streambed-confidant",
+    "streambed-confidant-cli",
     "streambed-kafka",
     "streambed-logged",
     "streambed-logged-cli",
@@ -59,5 +60,6 @@ tokio-util = "0.7.4"
 warp = "0.3"
 
 streambed = { path = "streambed", version = "0.10.2" }
+streambed-confidant = { path = "streambed-confidant", version = "0.10.2" }
 streambed-logged = { path = "streambed-logged", version = "0.10.2" }
 streambed-test = { path = "streambed-test", version = "0.10.2" }

streambed-confidant-cli/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "streambed-confidant-cli"
+version.workspace = true
+edition.workspace = true
+rust-version.workspace = true
+license.workspace = true
+repository.workspace = true
+description = "A CLI for a file-system-based secret store that applies streambed-crypto to data"
+
+[dependencies]
+base64 = { workspace = true }
+clap = { workspace = true }
+env_logger = { workspace = true }
+hex = { workspace = true }
+humantime = { workspace = true }
+streambed = { workspace = true }
+streambed-confidant = { workspace = true }
+tokio = { workspace = true, features = ["full"] }
+tokio-stream = { workspace = true }
+
+[[bin]]
+name = "confidant"
+path = "src/main.rs"

streambed-confidant-cli/README.md

@@ -0,0 +1,30 @@
+confidant
+===
+
+The `confidant` command provides a utility for conveniently operating on file-based secret store. It is
+often used in conjunction `logged` to encrypt payloads as a pre-stage, or decrypt as a post-stage. No
+assumption is made regarding the nature of a payload beyond it being encrypted using streambed crypto
+functions.
+
+Running with an example encrypt followed by a decrypt
+---
+
+First get the executable:
+
+```
+cargo install streambed-confidant-cli
+```
+
+...or build it from this repo:
+
+```
+cargo build --bin loggconfidanted --release
+```
+
+...and make a build available on the PATH (only for `cargo build` and just once per shell session):
+
+```
+export PATH="$PWD/target/release":$PATH
+```
+
+Use `--help` to discover all of the options.

streambed-confidant-cli/src/cryptor.rs

@@ -0,0 +1,38 @@
+use std::io::{self, Write};
+
+use streambed::secret_store::SecretStore;
+
+use crate::errors::Errors;
+
+pub async fn decrypt(
+    ss: impl SecretStore,
+    line_reader: impl FnMut() -> Result<Option<String>, io::Error>,
+    output: impl Write,
+) -> Result<(), Errors> {
+    encrypt(ss, line_reader, output).await
+}
+pub async fn encrypt(
+    _ss: impl SecretStore,
+    mut line_reader: impl FnMut() -> Result<Option<String>, io::Error>,
+    mut _output: impl Write,
+) -> Result<(), Errors> {
+    loop {
+        if let Some(_line) = line_reader()? {
+        } else {
+            break;
+        }
+    }
+    // let lines = input.lines();
+    // for record in lines {
+    //     // let record = ProducerRecord {
+    //     //     topic: record.topic,
+    //     //     headers: record.headers,
+    //     //     timestamp: record.timestamp,
+    //     //     key: record.key,
+    //     //     value: record.value,
+    //     //     partition: record.partition,
+    //     // };
+    //     // cl.produce(record).await.map_err(Errors::Producer)?;
+    // }
+    Ok(())
+}

streambed-confidant-cli/src/errors.rs

@@ -0,0 +1,54 @@
+use std::{
+    error::Error,
+    fmt::{self, Debug},
+    io,
+};
+
+use streambed::secret_store;
+
+#[derive(Debug)]
+pub enum Errors {
+    CannotDecodeRootSecretAsHex,
+    EmptyRootSecretFile,
+    EmptySecretIdFile,
+    Io(io::Error),
+    RootSecretFileIo(io::Error),
+    SecretIdFileIo(io::Error),
+    SecretStore(secret_store::Error),
+}
+
+impl From<io::Error> for Errors {
+    fn from(value: io::Error) -> Self {
+        Self::Io(value)
+    }
+}
+
+impl fmt::Display for Errors {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            Self::CannotDecodeRootSecretAsHex => {
+                f.write_str("Cannot decode the root-secret as hex")
+            }
+            Self::EmptyRootSecretFile => f.write_str("Empty root-secret file"),
+            Self::EmptySecretIdFile => f.write_str("Empty secret-id file"),
+            Self::Io(e) => fmt::Display::fmt(&e, f),
+            Self::SecretStore(_) => f.write_str("Unauthorised access"),
+            Self::RootSecretFileIo(_) => f.write_str("root-secret file problem"),
+            Self::SecretIdFileIo(_) => f.write_str("secret-id file problem"),
+        }
+    }
+}
+
+impl Error for Errors {
+    fn source(&self) -> Option<&(dyn Error + 'static)> {
+        match self {
+            Self::CannotDecodeRootSecretAsHex
+            | Self::EmptyRootSecretFile
+            | Self::EmptySecretIdFile
+            | Self::SecretStore(_) => None,
+            Self::Io(e) => e.source(),
+            Self::RootSecretFileIo(e) => e.source(),
+            Self::SecretIdFileIo(e) => e.source(),
+        }
+    }
+}

streambed-confidant-cli/src/main.rs

@@ -0,0 +1,224 @@
+use std::{
+    error::Error,
+    fs::{self, File},
+    io::{self, BufRead, BufReader, BufWriter, Write},
+    path::PathBuf,
+    time::Duration,
+};
+
+use clap::{Args, Parser, Subcommand};
+use errors::Errors;
+use streambed::secret_store::SecretStore;
+use streambed_confidant::FileSecretStore;
+
+pub mod cryptor;
+pub mod errors;
+
+/// The `confidant` command provides a utility for conveniently operating on file-based secret store. It is
+/// often used in conjunction `logged` to encrypt payloads as a pre-stage, or decrypt as a post-stage. No
+/// assumption is made regarding the nature of a value passed in beyond it to be encrypted/decrypted using streambed crypto
+/// functions. This value is expected to be encoded as BASE64 and will output as encoded BASE64.
+#[derive(Parser, Debug)]
+#[clap(author, about, long_about = None, version)]
+struct ProgramArgs {
+    /// In order to initialise the secret store, a root secret is also required. A credentials-directory path can be provided
+    /// where a `root-secret`` file is expected. This argument corresponds conveniently with systemd's CREDENTIALS_DIRECTORY
+    /// environment variable and is used by various services we have written.
+    /// Also associated with this argument is the `secret_id` file` for role-based authentication with the secret store.
+    /// This secret is expected to be found in a ss-secret-id file of the directory.
+    #[clap(env, long, default_value = "/tmp")]
+    pub credentials_directory: PathBuf,
+
+    /// The max number of Vault Secret Store secrets to retain by our cache at any time.
+    /// Least Recently Used (LRU) secrets will be evicted from our cache once this value
+    /// is exceeded.
+    #[clap(env, long, default_value_t = 10_000)]
+    pub max_secrets: usize,
+
+    /// The Secret Store role_id to use for approle authentication.
+    #[clap(env, long, default_value = "streambed-confidant-cli")]
+    pub role_id: String,
+
+    /// The location of all secrets belonging to confidant. The recommendation is to
+    /// create a user for confidant and a requirement is to remove group and world permissions.
+    /// Then, use ACLs to express further access conditions.
+    #[clap(env, long, default_value = "/var/lib/confidant")]
+    pub root_path: PathBuf,
+
+    /// A data field to used in place of Vault's lease_duration field. Time
+    /// will be interpreted as a humantime string e.g. "1m", "1s" etc. Note
+    /// that v2 of the Vault server does not appear to populate the lease_duration
+    /// field for the KV secret store any longer. Instead, we can use a "ttl" field
+    /// from the data.
+    #[clap(env, long)]
+    pub ttl_field: Option<String>,
+
+    /// How long we wait until re-requesting the Secret Store for an
+    /// unauthorized secret again.
+    #[clap(env, long, default_value = "1m")]
+    pub unauthorized_timeout: humantime::Duration,
+
+    #[command(subcommand)]
+    pub command: Command,
+}
+
+#[derive(Subcommand, Debug)]
+enum Command {
+    Decrypt(DecryptCommand),
+    Encrypt(EncryptCommand),
+}
+
+/// Consume a BASE64 value followed by a newline character, from a stream until EOF and decrypt it.
+#[derive(Args, Debug)]
+struct DecryptCommand {
+    /// The file to consume BASE64 records with newlines from, or `-` to indicate STDIN.
+    #[clap(env, short, long)]
+    pub file: PathBuf,
+
+    /// By default, records are output to STDOUT as a BASE64 values followed newlines.
+    /// This option can be used to write to a file.
+    #[clap(env, short, long)]
+    pub output: Option<PathBuf>,
+}
+
+/// Consume a BASE64 value followed by a newline character, from a stream until EOF and encrypt it.
+#[derive(Args, Debug)]
+struct EncryptCommand {
+    /// The file to consume BASE64 records with newlines from, or `-` to indicate STDIN.
+    #[clap(env, short, long)]
+    pub file: PathBuf,
+
+    /// By default, records are output to STDOUT as a BASE64 values followed newlines.
+    /// This option can be used to write to a file.
+    #[clap(env, short, long)]
+    pub output: Option<PathBuf>,
+}
+
+async fn secret_store(
+    credentials_directory: PathBuf,
+    max_secrets: usize,
+    root_path: PathBuf,
+    role_id: String,
+    ttl_field: Option<&str>,
+    unauthorized_timeout: Duration,
+) -> Result<impl SecretStore, Errors> {
+    let ss = {
+        let (root_secret, ss_secret_id) = {
+            let f = File::open(credentials_directory.join("root-secret"))
+                .map_err(|e| Errors::RootSecretFileIo(e))?;
+            let f = BufReader::new(f);
+            let root_secret = f
+                .lines()
+                .next()
+                .ok_or(Errors::EmptyRootSecretFile)?
+                .map_err(|e| Errors::RootSecretFileIo(e))?;
+
+            let f = File::open(credentials_directory.join("ss-secret-id"))
+                .map_err(|e| Errors::SecretIdFileIo(e))?;
+            let f = BufReader::new(f);
+            let ss_secret_id = f
+                .lines()
+                .next()
+                .ok_or(Errors::EmptyRootSecretFile)?
+                .map_err(|e| Errors::SecretIdFileIo(e))?;
+
+            (root_secret, ss_secret_id)
+        };
+
+        let root_secret =
+            hex::decode(root_secret).map_err(|_| Errors::CannotDecodeRootSecretAsHex)?;
+
+        let ss = FileSecretStore::new(
+            root_path,
+            &root_secret.try_into().unwrap(),
+            unauthorized_timeout,
+            max_secrets,
+            ttl_field,
+        );
+
+        ss.approle_auth(&role_id, &ss_secret_id)
+            .await
+            .map_err(|e| Errors::SecretStore(e))?;
+
+        ss
+    };
+    Ok(ss)
+}
+
+fn pipeline(
+    file: PathBuf,
+    output: Option<PathBuf>,
+) -> Result<
+    (
+        Box<dyn FnMut() -> Result<Option<String>, io::Error> + Send>,
+        Box<dyn Write + Send>,
+    ),
+    Errors,
+> {
+    let line_reader: Box<dyn FnMut() -> Result<Option<String>, io::Error> + Send> =
+        if file.as_os_str() == "-" {
+            let stdin = io::stdin();
+            let mut line = String::new();
+            Box::new(move || {
+                line.clear();
+                if stdin.read_line(&mut line)? > 0 {
+                    Ok(Some(line.clone()))
+                } else {
+                    Ok(None)
+                }
+            })
+        } else {
+            let mut buf = BufReader::new(fs::File::open(file).map_err(Errors::from)?);
+            let mut line = String::new();
+            Box::new(move || {
+                line.clear();
+                if buf.read_line(&mut line)? > 0 {
+                    Ok(Some(line.clone()))
+                } else {
+                    Ok(None)
+                }
+            })
+        };
+    let output: Box<dyn Write + Send> = if let Some(output) = output {
+        Box::new(BufWriter::new(
+            fs::File::create(output).map_err(Errors::from)?,
+        ))
+    } else {
+        Box::new(io::stdout())
+    };
+    Ok((line_reader, output))
+}
+
+#[tokio::main]
+async fn main() -> Result<(), Box<dyn Error>> {
+    let args = ProgramArgs::parse();
+
+    env_logger::builder().format_timestamp_millis().init();
+
+    let ss = secret_store(
+        args.credentials_directory,
+        args.max_secrets,
+        args.root_path,
+        args.role_id,
+        args.ttl_field.as_deref(),
+        args.unauthorized_timeout.into(),
+    )
+    .await?;
+
+    let task = tokio::spawn(async move {
+        match args.command {
+            Command::Decrypt(command) => {
+                let (line_reader, output) = pipeline(command.file, command.output)?;
+                cryptor::decrypt(ss, line_reader, output).await
+            }
+            Command::Encrypt(command) => {
+                let (line_reader, output) = pipeline(command.file, command.output)?;
+                cryptor::encrypt(ss, line_reader, output).await
+            }
+        }
+    });
+
+    task.await
+        .map_err(|e| e.into())
+        .and_then(|r: Result<(), Errors>| r.map_err(|e| e.into()))
+}