func dumpVaultLog(vaultFile, logFileOut string) {
salt, err := keyvault.GetSalt(vaultFile)
if err != nil {
fmt.Fprintf(os.Stderr, "Failed to extract salt from vault file: %v\n", err)
os.Exit(1)
}
vaultKey := deriveKey(salt)
vault, err := keyvault.Open(vaultFile, *vaultKey)
if err != nil {
fmt.Fprintf(os.Stderr, "Failed to open vault file: %v\n", err)
os.Exit(1)
}
password, err := readpass.PasswordPrompt("Admin password: "******"Failed to read password: %v\n", err)
os.Exit(1)
}
logOut := vault.LogDump(checkPassword, password)
vault.Close()
err = ioutil.WriteFile(logFileOut, []byte(logOut), 0644)
if err != nil {
fmt.Fprintf(os.Stderr, "Failed to write log file: %v\n", err)
os.Exit(1)
}
fmt.Println("Log file dumped to", logFileOut)
os.Exit(0)
}
// Registration with a password only involves storing the bcrypt hash
// of the user's password.
func regPassword() *auth.Authenticator {
password, err := readpass.PasswordPrompt("Password: ")
dieIfError(err)
a, err := auth.NewPasswordAuth(password, 0)
dieIfError(err)
return a
}
func main() {
flUser := flag.String("u", "", "user name to act on")
flAddr := flag.String("a", "127.0.0.1:8443", "address of passvault server")
flag.Parse()
if flag.NArg() != 1 {
fmt.Println("No command specified. Valid commands: add, delete")
return
} else if *flUser == "" {
fmt.Println("No user specified. Please specify a user with -u.")
return
}
adminPassword, err := readpass.PasswordPrompt("Admin password: "******"Failed: %v\n", err)
return
}
adm := client.NewAdmin(*flAddr, adminPassword, false)
cmd := flag.Arg(0)
switch cmd {
case "add":
var userPassword string
userPassword, err = readpass.PasswordPrompt("Password for new user: "******"Failed: %v\n", err)
return
}
err = adm.AddUser(*flUser, userPassword)
case "delete":
err = adm.RemoveUser(*flUser)
default:
fmt.Println("Invalid command. Valid commands: add, delete.")
return
}
if err != nil {
fmt.Printf("Failed: %v\n", err)
} else {
fmt.Println("OK.")
}
return
}
func checkSaltFile(filename string) {
password, err := readpass.PasswordPrompt("Password for master key: ")
if err != nil {
log.Fatalf("failed to read password: %v", err)
}
if filename == "" {
log.Printf("WARNING: no salt file specified!")
fmt.Println(`
***************
*** WARNING ***
***************
Arx is running WITHOUT a salt file. Once the server shuts down,
secrets will be undecryptable. If this is what you want, you
may ignore this message. If you expect to be able to restart the
server and recover secrets, you should shutdown the server NOW
and check your configuration.
***************
*** WARNING ***
***************
`)
_, err := crypto.Init(password, nil)
if err != nil {
log.Fatalf("failed to initialise crypto (%v)", err)
}
} else if _, err := os.Stat(filename); err != nil {
if os.IsNotExist(err) {
salt, err := crypto.Init(password, nil)
if err != nil {
log.Fatalf("failed to initialise crypto (%v)", err)
}
err = ioutil.WriteFile(filename, salt, 0600)
if err != nil {
log.Fatalf("failed to write salt to file (%v)", err)
}
log.Println("new master key generated; salt file written to", filename)
} else {
log.Fatalf("failed to open salt file: %v", err)
}
return
}
salt, err := ioutil.ReadFile(filename)
if err != nil {
log.Fatalf("failed to open salt file: %v", err)
}
_, err = crypto.Init(password, salt)
if err == nil {
log.Println("master key restored from salt")
}
return
}
func main() {
flUser := flag.String("u", "", "user name to act on")
flAddr := flag.String("a", "127.0.0.1:8443", "address of passvault server")
flSecret := flag.String("f", "secret.out", "path to secret to store on server")
flOut := flag.String("out", "secret.out", "path to store returned secrets at")
flID := flag.String("id", "", "identifier for secret")
flLen := flag.Int("l", 0, "length of secret to provision")
flag.Parse()
if flag.NArg() != 1 {
fmt.Println("No command specified. Valid commands: get, provision, put, delete")
return
} else if *flUser == "" {
fmt.Println("No user specified. Please specify a user with -u.")
return
} else if *flID == "" {
fmt.Println("No secret was identified. Please specify which secret to operate on.")
return
}
prompt := fmt.Sprintf("Password for user %s: ", *flUser)
userPassword, err := readpass.PasswordPrompt(prompt)
if err != nil {
fmt.Printf("Failed: %v\n", err)
return
}
var secret []byte
cli := client.New(*flAddr, *flUser, userPassword, false)
cmd := flag.Arg(0)
switch cmd {
case "get":
secret, err = cli.Get(*flID)
if err != nil {
fmt.Printf("Failed: %v\n", err)
return
}
err = ioutil.WriteFile(*flOut, secret, 0600)
if err != nil {
fmt.Printf("Failed: %v\n", err)
return
}
fmt.Printf("Stored secret %s in %s.\n", *flID, *flOut)
fmt.Println("OK.")
case "provision":
if *flLen == 0 {
fmt.Println("Failed: secret of length 0 requested.")
return
}
secret, err = cli.Provision(*flID, *flLen)
if err != nil {
fmt.Printf("Failed: %v\n", err)
return
}
err = ioutil.WriteFile(*flOut, secret, 0600)
if err != nil {
fmt.Printf("Failed: %v\n", err)
return
}
fmt.Printf("Provisioned secret %s in %s.\n", *flID, *flOut)
fmt.Println("OK.")
case "put":
secret, err = ioutil.ReadFile(*flSecret)
if err != nil {
fmt.Printf("Failed: %v\n", err)
return
}
err = cli.Put(*flID, secret)
if err != nil {
fmt.Printf("Failed: %v\n", err)
return
}
fmt.Printf("Uploaded secret from %s to server.\n", *flSecret)
fmt.Println("OK.")
case "delete":
err = cli.Delete(*flID)
if err != nil {
fmt.Printf("Failed: %v\n", err)
return
}
fmt.Println("OK.")
default:
fmt.Println("Invalid action. Valid actions are get, provision, put, and delete.")
return
}
}
