--- /dev/null
+
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+ <style>
+ body {
+ background: black;
+ color: rgb(80, 80, 80);
+ }
+ body, pre, #legend span {
+ font-family: Menlo, monospace;
+ font-weight: bold;
+ }
+ #topbar {
+ background: black;
+ position: fixed;
+ top: 0; left: 0; right: 0;
+ height: 42px;
+ border-bottom: 1px solid rgb(80, 80, 80);
+ }
+ #content {
+ margin-top: 50px;
+ }
+ #nav, #legend {
+ float: left;
+ margin-left: 10px;
+ }
+ #legend {
+ margin-top: 12px;
+ }
+ #nav {
+ margin-top: 10px;
+ }
+ #legend span {
+ margin: 0 5px;
+ }
+ .cov0 { color: rgb(192, 0, 0) }
+.cov1 { color: rgb(128, 128, 128) }
+.cov2 { color: rgb(116, 140, 131) }
+.cov3 { color: rgb(104, 152, 134) }
+.cov4 { color: rgb(92, 164, 137) }
+.cov5 { color: rgb(80, 176, 140) }
+.cov6 { color: rgb(68, 188, 143) }
+.cov7 { color: rgb(56, 200, 146) }
+.cov8 { color: rgb(44, 212, 149) }
+.cov9 { color: rgb(32, 224, 152) }
+.cov10 { color: rgb(20, 236, 155) }
+
+ </style>
+ </head>
+ <body>
+ <div id="topbar">
+ <div id="nav">
+ <select id="files">
+
+ <option value="file0">sms/auth/auth.go (17.6%)</option>
+
+ <option value="file1">sms/backend/backend.go (66.7%)</option>
+
+ <option value="file2">sms/backend/vault.go (60.5%)</option>
+
+ <option value="file3">sms/config/config.go (90.9%)</option>
+
+ <option value="file4">sms/handler/handler.go (55.1%)</option>
+
+ <option value="file5">sms/log/logger.go (31.2%)</option>
+
+ <option value="file6">sms/sms.go (82.6%)</option>
+
+ </select>
+ </div>
+ <div id="legend">
+ <span>not tracked</span>
+
+ <span class="cov0">no coverage</span>
+ <span class="cov1">low coverage</span>
+ <span class="cov2">*</span>
+ <span class="cov3">*</span>
+ <span class="cov4">*</span>
+ <span class="cov5">*</span>
+ <span class="cov6">*</span>
+ <span class="cov7">*</span>
+ <span class="cov8">*</span>
+ <span class="cov9">*</span>
+ <span class="cov10">high coverage</span>
+
+ </div>
+ </div>
+ <div id="content">
+
+ <pre class="file" id="file0" style="display: none">/*
+ * Copyright 2018 Intel Corporation, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package auth
+
+import (
+ "bytes"
+ "crypto/tls"
+ "crypto/x509"
+ "encoding/base64"
+ "golang.org/x/crypto/openpgp"
+ "golang.org/x/crypto/openpgp/packet"
+ "io/ioutil"
+
+ smslogger "sms/log"
+)
+
+var tlsConfig *tls.Config
+
+// GetTLSConfig initializes a tlsConfig using the CA's certificate
+// This config is then used to enable the server for mutual TLS
+func GetTLSConfig(caCertFile string) (*tls.Config, error) <span class="cov10" title="3">{
+ // Initialize tlsConfig once
+ if tlsConfig == nil </span><span class="cov10" title="3">{
+ caCert, err := ioutil.ReadFile(caCertFile)
+
+ if err != nil </span><span class="cov1" title="1">{
+ return nil, err
+ }</span>
+
+ <span class="cov6" title="2">caCertPool := x509.NewCertPool()
+ caCertPool.AppendCertsFromPEM(caCert)
+
+ tlsConfig = &tls.Config{
+ ClientAuth: tls.RequireAndVerifyClientCert,
+ ClientCAs: caCertPool,
+ MinVersion: tls.VersionTLS12,
+ }
+ tlsConfig.BuildNameToCertificate()</span>
+ }
+ <span class="cov6" title="2">return tlsConfig, nil</span>
+}
+
+// GeneratePGPKeyPair produces a PGP key pair and returns
+// two things:
+// A base64 encoded form of the public part of the entity
+// A base64 encoded form of the private key
+func GeneratePGPKeyPair() (string, string, error) <span class="cov0" title="0">{
+ var entity *openpgp.Entity
+ entity, err := openpgp.NewEntity("aaf.sms.init", "PGP Key for unsealing", "", nil)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return "", "", err
+ }</span>
+
+ // Sign the identity in the entity
+ <span class="cov0" title="0">for _, id := range entity.Identities </span><span class="cov0" title="0">{
+ err = id.SelfSignature.SignUserId(id.UserId.Id, entity.PrimaryKey, entity.PrivateKey, nil)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return "", "", err
+ }</span>
+ }
+
+ // Sign the subkey in the entity
+ <span class="cov0" title="0">for _, subkey := range entity.Subkeys </span><span class="cov0" title="0">{
+ err := subkey.Sig.SignKey(subkey.PublicKey, entity.PrivateKey, nil)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return "", "", err
+ }</span>
+ }
+
+ <span class="cov0" title="0">buffer := new(bytes.Buffer)
+ entity.Serialize(buffer)
+ pbkey := base64.StdEncoding.EncodeToString(buffer.Bytes())
+
+ buffer.Reset()
+ entity.SerializePrivate(buffer, nil)
+ prkey := base64.StdEncoding.EncodeToString(buffer.Bytes())
+
+ return pbkey, prkey, nil</span>
+}
+
+// DecryptPGPBytes decrypts a PGP encoded input string and returns
+// a base64 representation of the decoded string
+func DecryptPGPBytes(data string, prKey string) (string, error) <span class="cov0" title="0">{
+ // Convert private key to bytes from base64
+ prKeyBytes, err := base64.StdEncoding.DecodeString(prKey)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError("Error Decoding base64 private key: " + err.Error())
+ return "", err
+ }</span>
+
+ <span class="cov0" title="0">dataBytes, err := base64.StdEncoding.DecodeString(data)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError("Error Decoding base64 data: " + err.Error())
+ return "", err
+ }</span>
+
+ <span class="cov0" title="0">prEntity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(prKeyBytes)))
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError("Error reading entity from PGP key: " + err.Error())
+ return "", err
+ }</span>
+
+ <span class="cov0" title="0">prEntityList := &openpgp.EntityList{prEntity}
+ message, err := openpgp.ReadMessage(bytes.NewBuffer(dataBytes), prEntityList, nil, nil)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError("Error Decrypting message: " + err.Error())
+ return "", err
+ }</span>
+
+ <span class="cov0" title="0">var retBuf bytes.Buffer
+ retBuf.ReadFrom(message.UnverifiedBody)
+
+ return retBuf.String(), nil</span>
+}
+</pre>
+
+ <pre class="file" id="file1" style="display: none">/*
+ * Copyright 2018 Intel Corporation, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package backend
+
+import (
+ smsconfig "sms/config"
+ smslogger "sms/log"
+)
+
+// SecretDomain is where Secrets are stored.
+// A single domain can have any number of secrets
+type SecretDomain struct {
+ UUID string `json:"uuid"`
+ Name string `json:"name"`
+}
+
+// Secret is the struct that defines the structure of a secret
+// It consists of a name and map containing key value pairs
+type Secret struct {
+ Name string `json:"name"`
+ Values map[string]interface{} `json:"values"`
+}
+
+// SecretBackend interface that will be implemented for various secret backends
+type SecretBackend interface {
+ Init() error
+ GetStatus() (bool, error)
+ Unseal(shard string) error
+
+ GetSecret(dom string, sec string) (Secret, error)
+ ListSecret(dom string) ([]string, error)
+
+ CreateSecretDomain(name string) (SecretDomain, error)
+ CreateSecret(dom string, sec Secret) error
+
+ DeleteSecretDomain(name string) error
+ DeleteSecret(dom string, name string) error
+}
+
+// InitSecretBackend returns an interface implementation
+func InitSecretBackend() (SecretBackend, error) <span class="cov10" title="2">{
+ backendImpl := &Vault{
+ vaultAddress: smsconfig.SMSConfig.VaultAddress,
+ vaultToken: smsconfig.SMSConfig.VaultToken,
+ }
+
+ err := backendImpl.Init()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return nil, err
+ }</span>
+
+ <span class="cov10" title="2">return backendImpl, nil</span>
+}
+
+// LoginBackend Interface that will be implemented for various login backends
+type LoginBackend interface {
+}
+</pre>
+
+ <pre class="file" id="file2" style="display: none">/*
+ * Copyright 2018 Intel Corporation, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package backend
+
+import (
+ uuid "github.com/hashicorp/go-uuid"
+ vaultapi "github.com/hashicorp/vault/api"
+ smsauth "sms/auth"
+ smslogger "sms/log"
+
+ "errors"
+ "fmt"
+ "strings"
+ "sync"
+ "time"
+)
+
+// Vault is the main Struct used in Backend to initialize the struct
+type Vault struct {
+ sync.Mutex
+ engineType string
+ initRoleDone bool
+ policyName string
+ roleID string
+ secretID string
+ vaultAddress string
+ vaultClient *vaultapi.Client
+ vaultMount string
+ vaultTempTokenTTL time.Time
+ vaultToken string
+ unsealShards []string
+ rootToken string
+ pgpPub string
+ pgpPr string
+}
+
+// Init will initialize the vault connection
+// It will also create the initial policy if it does not exist
+// TODO: Check to see if we need to wait for vault to be running
+func (v *Vault) Init() error <span class="cov4" title="3">{
+ vaultCFG := vaultapi.DefaultConfig()
+ vaultCFG.Address = v.vaultAddress
+ client, err := vaultapi.NewClient(vaultCFG)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to create new vault client")
+ }</span>
+
+ <span class="cov4" title="3">v.engineType = "kv"
+ v.initRoleDone = false
+ v.policyName = "smsvaultpolicy"
+ v.vaultClient = client
+ v.vaultMount = "sms"
+
+ err = v.initRole()
+ if err != nil </span><span class="cov2" title="2">{
+ smslogger.WriteError(err.Error())
+ smslogger.WriteInfo("InitRole will try again later")
+ }</span>
+
+ <span class="cov4" title="3">return nil</span>
+}
+
+// GetStatus returns the current seal status of vault
+func (v *Vault) GetStatus() (bool, error) <span class="cov4" title="3">{
+ sys := v.vaultClient.Sys()
+ sealStatus, err := sys.SealStatus()
+ if err != nil </span><span class="cov1" title="1">{
+ smslogger.WriteError(err.Error())
+ return false, errors.New("Error getting status")
+ }</span>
+
+ <span class="cov2" title="2">return sealStatus.Sealed, nil</span>
+}
+
+// Unseal is a passthrough API that allows any
+// unseal or initialization processes for the backend
+func (v *Vault) Unseal(shard string) error <span class="cov0" title="0">{
+ sys := v.vaultClient.Sys()
+ _, err := sys.Unseal(shard)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to execute unseal operation with specified shard")
+ }</span>
+
+ <span class="cov0" title="0">return nil</span>
+}
+
+// GetSecret returns a secret mounted on a particular domain name
+// The secret itself is referenced via its name which translates to
+// a mount path in vault
+func (v *Vault) GetSecret(dom string, name string) (Secret, error) <span class="cov6" title="6">{
+ err := v.checkToken()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return Secret{}, errors.New("Token check failed")
+ }</span>
+
+ <span class="cov6" title="6">dom = v.vaultMount + "/" + dom
+
+ sec, err := v.vaultClient.Logical().Read(dom + "/" + name)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return Secret{}, errors.New("Unable to read Secret at provided path")
+ }</span>
+
+ // sec and err are nil in the case where a path does not exist
+ <span class="cov6" title="6">if sec == nil </span><span class="cov0" title="0">{
+ smslogger.WriteWarn("Vault read was empty. Invalid Path")
+ return Secret{}, errors.New("Secret not found at the provided path")
+ }</span>
+
+ <span class="cov6" title="6">return Secret{Name: name, Values: sec.Data}, nil</span>
+}
+
+// ListSecret returns a list of secret names on a particular domain
+// The values of the secret are not returned
+func (v *Vault) ListSecret(dom string) ([]string, error) <span class="cov2" title="2">{
+ err := v.checkToken()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return nil, errors.New("Token check failed")
+ }</span>
+
+ <span class="cov2" title="2">dom = v.vaultMount + "/" + dom
+
+ sec, err := v.vaultClient.Logical().List(dom)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return nil, errors.New("Unable to read Secret at provided path")
+ }</span>
+
+ // sec and err are nil in the case where a path does not exist
+ <span class="cov2" title="2">if sec == nil </span><span class="cov0" title="0">{
+ smslogger.WriteWarn("Vaultclient returned empty data")
+ return nil, errors.New("Secret not found at the provided path")
+ }</span>
+
+ <span class="cov2" title="2">val, ok := sec.Data["keys"].([]interface{})
+ if !ok </span><span class="cov0" title="0">{
+ smslogger.WriteError("Secret not found at the provided path")
+ return nil, errors.New("Secret not found at the provided path")
+ }</span>
+
+ <span class="cov2" title="2">retval := make([]string, len(val))
+ for i, v := range val </span><span class="cov6" title="6">{
+ retval[i] = fmt.Sprint(v)
+ }</span>
+
+ <span class="cov2" title="2">return retval, nil</span>
+}
+
+// CreateSecretDomain mounts the kv backend on a path with the given name
+func (v *Vault) CreateSecretDomain(name string) (SecretDomain, error) <span class="cov2" title="2">{
+ // Check if token is still valid
+ err := v.checkToken()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return SecretDomain{}, errors.New("Token Check failed")
+ }</span>
+
+ <span class="cov2" title="2">name = strings.TrimSpace(name)
+ mountPath := v.vaultMount + "/" + name
+ mountInput := &vaultapi.MountInput{
+ Type: v.engineType,
+ Description: "Mount point for domain: " + name,
+ Local: false,
+ SealWrap: false,
+ Config: vaultapi.MountConfigInput{},
+ }
+
+ err = v.vaultClient.Sys().Mount(mountPath, mountInput)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return SecretDomain{}, errors.New("Unable to create Secret Domain")
+ }</span>
+
+ <span class="cov2" title="2">uuid, _ := uuid.GenerateUUID()
+ return SecretDomain{uuid, name}, nil</span>
+}
+
+// CreateSecret creates a secret mounted on a particular domain name
+// The secret itself is mounted on a path specified by name
+func (v *Vault) CreateSecret(dom string, sec Secret) error <span class="cov6" title="6">{
+ err := v.checkToken()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Token check failed")
+ }</span>
+
+ <span class="cov6" title="6">dom = v.vaultMount + "/" + dom
+
+ // Vault return is empty on successful write
+ // TODO: Check if values is not empty
+ _, err = v.vaultClient.Logical().Write(dom+"/"+sec.Name, sec.Values)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to create Secret at provided path")
+ }</span>
+
+ <span class="cov6" title="6">return nil</span>
+}
+
+// DeleteSecretDomain deletes a secret domain which translates to
+// an unmount operation on the given path in Vault
+func (v *Vault) DeleteSecretDomain(name string) error <span class="cov2" title="2">{
+ err := v.checkToken()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Token Check Failed")
+ }</span>
+
+ <span class="cov2" title="2">name = strings.TrimSpace(name)
+ mountPath := v.vaultMount + "/" + name
+
+ err = v.vaultClient.Sys().Unmount(mountPath)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to delete domain specified")
+ }</span>
+
+ <span class="cov2" title="2">return nil</span>
+}
+
+// DeleteSecret deletes a secret mounted on the path provided
+func (v *Vault) DeleteSecret(dom string, name string) error <span class="cov6" title="6">{
+ err := v.checkToken()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Token check failed")
+ }</span>
+
+ <span class="cov6" title="6">dom = v.vaultMount + "/" + dom
+
+ // Vault return is empty on successful delete
+ _, err = v.vaultClient.Logical().Delete(dom + "/" + name)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to delete Secret at provided path")
+ }</span>
+
+ <span class="cov6" title="6">return nil</span>
+}
+
+// initRole is called only once during the service bring up
+func (v *Vault) initRole() error <span class="cov4" title="3">{
+ // Use the root token once here
+ v.vaultClient.SetToken(v.vaultToken)
+ defer v.vaultClient.ClearToken()
+
+ rules := `path "sms/*" { capabilities = ["create", "read", "update", "delete", "list"] }
+ path "sys/mounts/sms*" { capabilities = ["update","delete","create"] }`
+ err := v.vaultClient.Sys().PutPolicy(v.policyName, rules)
+ if err != nil </span><span class="cov2" title="2">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to create policy for approle creation")
+ }</span>
+
+ <span class="cov1" title="1">rName := v.vaultMount + "-role"
+ data := map[string]interface{}{
+ "token_ttl": "60m",
+ "policies": [2]string{"default", v.policyName},
+ }
+
+ //Check if applrole is mounted
+ authMounts, err := v.vaultClient.Sys().ListAuth()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to get mounted auth backends")
+ }</span>
+
+ <span class="cov1" title="1">approleMounted := false
+ for k, v := range authMounts </span><span class="cov1" title="1">{
+ if v.Type == "approle" && k == "approle/" </span><span class="cov1" title="1">{
+ approleMounted = true
+ break</span>
+ }
+ }
+
+ // Mount approle in case its not already mounted
+ <span class="cov1" title="1">if !approleMounted </span><span class="cov0" title="0">{
+ v.vaultClient.Sys().EnableAuth("approle", "approle", "")
+ }</span>
+
+ // Create a role-id
+ <span class="cov1" title="1">v.vaultClient.Logical().Write("auth/approle/role/"+rName, data)
+ sec, err := v.vaultClient.Logical().Read("auth/approle/role/" + rName + "/role-id")
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to create role ID for approle")
+ }</span>
+ <span class="cov1" title="1">v.roleID = sec.Data["role_id"].(string)
+
+ // Create a secret-id to go with it
+ sec, err = v.vaultClient.Logical().Write("auth/approle/role/"+rName+"/secret-id",
+ map[string]interface{}{})
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to create secret ID for role")
+ }</span>
+
+ <span class="cov1" title="1">v.secretID = sec.Data["secret_id"].(string)
+ v.initRoleDone = true
+ return nil</span>
+}
+
+// Function checkToken() gets called multiple times to create
+// temporary tokens
+func (v *Vault) checkToken() error <span class="cov10" title="24">{
+ v.Lock()
+ defer v.Unlock()
+
+ // Init Role if it is not yet done
+ // Role needs to be created before token can be created
+ if v.initRoleDone == false </span><span class="cov0" title="0">{
+ err := v.initRole()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to initRole in checkToken")
+ }</span>
+ }
+
+ // Return immediately if token still has life
+ <span class="cov10" title="24">if v.vaultClient.Token() != "" &&
+ time.Since(v.vaultTempTokenTTL) < time.Minute*50 </span><span class="cov9" title="23">{
+ return nil
+ }</span>
+
+ // Create a temporary token using our roleID and secretID
+ <span class="cov1" title="1">out, err := v.vaultClient.Logical().Write("auth/approle/login",
+ map[string]interface{}{"role_id": v.roleID, "secret_id": v.secretID})
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("Unable to create Temporary Token for Role")
+ }</span>
+
+ <span class="cov1" title="1">tok, err := out.TokenID()
+
+ v.vaultTempTokenTTL = time.Now()
+ v.vaultClient.SetToken(tok)
+ return nil</span>
+}
+
+// vaultInit() is used to initialize the vault in cases where it is not
+// initialized. This happens once during intial bring up.
+func (v *Vault) initializeVault() error <span class="cov0" title="0">{
+ initReq := &vaultapi.InitRequest{
+ SecretShares: 5,
+ SecretThreshold: 3,
+ }
+
+ pbkey, prkey, err := smsauth.GeneratePGPKeyPair()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError("Error Generating PGP Keys. Vault Init will not use encryption!")
+ }</span><span class="cov0" title="0"> else {
+ initReq.PGPKeys = []string{pbkey, pbkey, pbkey, pbkey, pbkey}
+ initReq.RootTokenPGPKey = pbkey
+ v.pgpPub = pbkey
+ v.pgpPr = prkey
+ }</span>
+
+ <span class="cov0" title="0">resp, err := v.vaultClient.Sys().Init(initReq)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ return errors.New("FATAL: Unable to initialize Vault")
+ }</span>
+
+ <span class="cov0" title="0">if resp != nil </span><span class="cov0" title="0">{
+ v.unsealShards = resp.KeysB64
+ v.rootToken = resp.RootToken
+ return nil
+ }</span>
+
+ <span class="cov0" title="0">return errors.New("FATAL: Init response was empty")</span>
+}
+</pre>
+
+ <pre class="file" id="file3" style="display: none">/*
+ * Copyright 2018 Intel Corporation, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package config
+
+import (
+ "encoding/json"
+ "os"
+)
+
+// SMSConfiguration loads up all the values that are used to configure
+// backend implementations
+// TODO: Review these and see if they can be created/discovered dynamically
+type SMSConfiguration struct {
+ CAFile string `json:"cafile"`
+ ServerCert string `json:"servercert"`
+ ServerKey string `json:"serverkey"`
+
+ VaultAddress string `json:"vaultaddress"`
+ VaultToken string `json:"vaulttoken"`
+}
+
+// SMSConfig is the structure that stores the configuration
+var SMSConfig *SMSConfiguration
+
+// ReadConfigFile reads the specified smsConfig file to setup some env variables
+func ReadConfigFile(file string) (*SMSConfiguration, error) <span class="cov10" title="3">{
+ if SMSConfig == nil </span><span class="cov10" title="3">{
+ f, err := os.Open(file)
+ if err != nil </span><span class="cov1" title="1">{
+ return nil, err
+ }</span>
+ <span class="cov6" title="2">defer f.Close()
+
+ SMSConfig = &SMSConfiguration{}
+ decoder := json.NewDecoder(f)
+ err = decoder.Decode(SMSConfig)
+ if err != nil </span><span class="cov0" title="0">{
+ return nil, err
+ }</span>
+ }
+
+ <span class="cov6" title="2">return SMSConfig, nil</span>
+}
+</pre>
+
+ <pre class="file" id="file4" style="display: none">/*
+ * Copyright 2018 Intel Corporation, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package handler
+
+import (
+ "encoding/json"
+ "github.com/gorilla/mux"
+ "net/http"
+
+ smsbackend "sms/backend"
+ smslogger "sms/log"
+)
+
+// handler stores two interface implementations that implement
+// the backend functionality
+type handler struct {
+ secretBackend smsbackend.SecretBackend
+ loginBackend smsbackend.LoginBackend
+}
+
+// createSecretDomainHandler creates a secret domain with a name provided
+func (h handler) createSecretDomainHandler(w http.ResponseWriter, r *http.Request) <span class="cov6" title="3">{
+ var d smsbackend.SecretDomain
+
+ err := json.NewDecoder(r.Body).Decode(&d)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusBadRequest)
+ return
+ }</span>
+
+ <span class="cov6" title="3">dom, err := h.secretBackend.CreateSecretDomain(d.Name)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+
+ <span class="cov6" title="3">jdata, err := json.Marshal(dom)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+
+ <span class="cov6" title="3">w.Header().Set("Content-Type", "application/json")
+ w.WriteHeader(http.StatusCreated)
+ w.Write(jdata)</span>
+}
+
+// deleteSecretDomainHandler deletes a secret domain with the name provided
+func (h handler) deleteSecretDomainHandler(w http.ResponseWriter, r *http.Request) <span class="cov6" title="3">{
+ vars := mux.Vars(r)
+ domName := vars["domName"]
+
+ err := h.secretBackend.DeleteSecretDomain(domName)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+
+ <span class="cov6" title="3">w.WriteHeader(http.StatusNoContent)</span>
+}
+
+// createSecretHandler handles creation of secrets on a given domain name
+func (h handler) createSecretHandler(w http.ResponseWriter, r *http.Request) <span class="cov10" title="7">{
+ // Get domain name from URL
+ vars := mux.Vars(r)
+ domName := vars["domName"]
+
+ // Get secrets to be stored from body
+ var b smsbackend.Secret
+ err := json.NewDecoder(r.Body).Decode(&b)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusBadRequest)
+ return
+ }</span>
+
+ <span class="cov10" title="7">err = h.secretBackend.CreateSecret(domName, b)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+
+ <span class="cov10" title="7">w.WriteHeader(http.StatusCreated)</span>
+}
+
+// getSecretHandler handles reading a secret by given domain name and secret name
+func (h handler) getSecretHandler(w http.ResponseWriter, r *http.Request) <span class="cov10" title="7">{
+ vars := mux.Vars(r)
+ domName := vars["domName"]
+ secName := vars["secretName"]
+
+ sec, err := h.secretBackend.GetSecret(domName, secName)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+
+ <span class="cov10" title="7">jdata, err := json.Marshal(sec)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+
+ <span class="cov10" title="7">w.Header().Set("Content-Type", "application/json")
+ w.Write(jdata)</span>
+}
+
+// listSecretHandler handles listing all secrets under a particular domain name
+func (h handler) listSecretHandler(w http.ResponseWriter, r *http.Request) <span class="cov6" title="3">{
+ vars := mux.Vars(r)
+ domName := vars["domName"]
+
+ secList, err := h.secretBackend.ListSecret(domName)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+
+ // Creating an anonymous struct to store the returned list of data
+ <span class="cov6" title="3">var retStruct = struct {
+ SecretNames []string `json:"secretnames"`
+ }{
+ secList,
+ }
+
+ jdata, err := json.Marshal(retStruct)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+
+ <span class="cov6" title="3">w.Header().Set("Content-Type", "application/json")
+ w.Write(jdata)</span>
+}
+
+// deleteSecretHandler handles deleting a secret by given domain name and secret name
+func (h handler) deleteSecretHandler(w http.ResponseWriter, r *http.Request) <span class="cov10" title="7">{
+ vars := mux.Vars(r)
+ domName := vars["domName"]
+ secName := vars["secretName"]
+
+ err := h.secretBackend.DeleteSecret(domName, secName)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+}
+
+// struct that tracks various status items for SMS and backend
+type backendStatus struct {
+ Seal bool `json:"sealstatus"`
+}
+
+// statusHandler returns information related to SMS and SMS backend services
+func (h handler) statusHandler(w http.ResponseWriter, r *http.Request) <span class="cov6" title="3">{
+ s, err := h.secretBackend.GetStatus()
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+
+ <span class="cov6" title="3">status := backendStatus{Seal: s}
+ jdata, err := json.Marshal(status)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+
+ <span class="cov6" title="3">w.Header().Set("Content-Type", "application/json")
+ w.Write(jdata)</span>
+}
+
+// loginHandler handles login via password and username
+func (h handler) loginHandler(w http.ResponseWriter, r *http.Request) {<span class="cov0" title="0">
+
+}</span>
+
+// unsealHandler is a pass through that sends requests from quorum client
+// to the backend.
+func (h handler) unsealHandler(w http.ResponseWriter, r *http.Request) <span class="cov0" title="0">{
+ // Get shards to be used for unseal
+ type unsealStruct struct {
+ UnsealShard string `json:"unsealshard"`
+ }
+
+ var inp unsealStruct
+ decoder := json.NewDecoder(r.Body)
+ decoder.DisallowUnknownFields()
+ err := decoder.Decode(&inp)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, "Bad input JSON", http.StatusBadRequest)
+ return
+ }</span>
+
+ <span class="cov0" title="0">err = h.secretBackend.Unseal(inp.UnsealShard)
+ if err != nil </span><span class="cov0" title="0">{
+ smslogger.WriteError(err.Error())
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }</span>
+}
+
+// CreateRouter returns an http.Handler for the registered URLs
+// Takes an interface implementation as input
+func CreateRouter(b smsbackend.SecretBackend) http.Handler <span class="cov4" title="2">{
+ h := handler{secretBackend: b}
+
+ // Create a new mux to handle URL endpoints
+ router := mux.NewRouter()
+
+ router.HandleFunc("/v1/sms/login", h.loginHandler).Methods("POST")
+
+ // Initialization APIs which will be used by quorum client
+ // to unseal and to provide root token to sms service
+ router.HandleFunc("/v1/sms/status", h.statusHandler).Methods("GET")
+ router.HandleFunc("/v1/sms/unseal", h.unsealHandler).Methods("POST")
+
+ router.HandleFunc("/v1/sms/domain", h.createSecretDomainHandler).Methods("POST")
+ router.HandleFunc("/v1/sms/domain/{domName}", h.deleteSecretDomainHandler).Methods("DELETE")
+
+ router.HandleFunc("/v1/sms/domain/{domName}/secret", h.createSecretHandler).Methods("POST")
+ router.HandleFunc("/v1/sms/domain/{domName}/secret", h.listSecretHandler).Methods("GET")
+ router.HandleFunc("/v1/sms/domain/{domName}/secret/{secretName}", h.getSecretHandler).Methods("GET")
+ router.HandleFunc("/v1/sms/domain/{domName}/secret/{secretName}", h.deleteSecretHandler).Methods("DELETE")
+
+ return router
+}</span>
+</pre>
+
+ <pre class="file" id="file5" style="display: none">/*
+ * Copyright 2018 Intel Corporation, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package log
+
+import (
+ "log"
+ "os"
+)
+
+var errLogger *log.Logger
+var warnLogger *log.Logger
+var infoLogger *log.Logger
+
+// Init will be called by sms.go before any other packages use it
+func Init(filePath string) <span class="cov8" title="1">{
+ f, err := os.Create(filePath)
+ if err != nil </span><span class="cov0" title="0">{
+ log.Println("Unable to create a log file")
+ log.Println(err)
+ errLogger = log.New(os.Stderr, "ERROR: ", log.Lshortfile|log.LstdFlags)
+ warnLogger = log.New(os.Stdout, "WARNING: ", log.Lshortfile|log.LstdFlags)
+ infoLogger = log.New(os.Stdout, "INFO: ", log.Lshortfile|log.LstdFlags)
+ }</span><span class="cov8" title="1"> else {
+ errLogger = log.New(f, "ERROR: ", log.Lshortfile|log.LstdFlags)
+ warnLogger = log.New(f, "WARNING: ", log.Lshortfile|log.LstdFlags)
+ infoLogger = log.New(f, "INFO: ", log.Lshortfile|log.LstdFlags)
+ }</span>
+}
+
+// WriteError writes output to the writer we have
+// defined durint its creation with ERROR prefix
+func WriteError(msg string) <span class="cov0" title="0">{
+ if errLogger != nil </span><span class="cov0" title="0">{
+ errLogger.Println(msg)
+ }</span>
+}
+
+// WriteWarn writes output to the writer we have
+// defined durint its creation with WARNING prefix
+func WriteWarn(msg string) <span class="cov0" title="0">{
+ if warnLogger != nil </span><span class="cov0" title="0">{
+ warnLogger.Println(msg)
+ }</span>
+}
+
+// WriteInfo writes output to the writer we have
+// defined durint its creation with INFO prefix
+func WriteInfo(msg string) <span class="cov0" title="0">{
+ if infoLogger != nil </span><span class="cov0" title="0">{
+ infoLogger.Println(msg)
+ }</span>
+}
+</pre>
+
+ <pre class="file" id="file6" style="display: none">/*
+ * Copyright 2018 Intel Corporation, Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package main
+
+import (
+ "context"
+ "log"
+ "net/http"
+ "os"
+ "os/signal"
+
+ smsauth "sms/auth"
+ smsbackend "sms/backend"
+ smsconfig "sms/config"
+ smshandler "sms/handler"
+ smslogger "sms/log"
+)
+
+func main() <span class="cov8" title="1">{
+ // Initialize logger
+ smslogger.Init("sms.log")
+
+ // Read Configuration File
+ smsConf, err := smsconfig.ReadConfigFile("smsconfig.json")
+ if err != nil </span><span class="cov0" title="0">{
+ log.Fatal(err)
+ }</span>
+
+ <span class="cov8" title="1">backendImpl, err := smsbackend.InitSecretBackend()
+ if err != nil </span><span class="cov0" title="0">{
+ log.Fatal(err)
+ }</span>
+
+ <span class="cov8" title="1">httpRouter := smshandler.CreateRouter(backendImpl)
+
+ // TODO: Use CA certificate from AAF
+ tlsConfig, err := smsauth.GetTLSConfig(smsConf.CAFile)
+ if err != nil </span><span class="cov0" title="0">{
+ log.Fatal(err)
+ }</span>
+
+ <span class="cov8" title="1">httpServer := &http.Server{
+ Handler: httpRouter,
+ Addr: ":10443",
+ TLSConfig: tlsConfig,
+ }
+
+ // Listener for SIGINT so that it returns cleanly
+ connectionsClose := make(chan struct{})
+ go func() </span><span class="cov8" title="1">{
+ c := make(chan os.Signal, 1)
+ signal.Notify(c, os.Interrupt)
+ <-c
+ httpServer.Shutdown(context.Background())
+ close(connectionsClose)
+ }</span>()
+
+ <span class="cov8" title="1">err = httpServer.ListenAndServeTLS(smsConf.ServerCert, smsConf.ServerKey)
+ if err != nil && err != http.ErrServerClosed </span><span class="cov0" title="0">{
+ log.Fatal(err)
+ }</span>
+
+ <span class="cov8" title="1"><-connectionsClose</span>
+}
+</pre>
+
+ </div>
+ </body>
+ <script>
+ (function() {
+ var files = document.getElementById('files');
+ var visible;
+ files.addEventListener('change', onChange, false);
+ function select(part) {
+ if (visible)
+ visible.style.display = 'none';
+ visible = document.getElementById(part);
+ if (!visible)
+ return;
+ files.value = part;
+ visible.style.display = 'block';
+ location.hash = part;
+ }
+ function onChange() {
+ select(files.value);
+ window.scrollTo(0, 0);
+ }
+ if (location.hash != "") {
+ select(location.hash.substr(1));
+ }
+ if (!visible) {
+ select("file0");
+ }
+ })();
+ </script>
+</html>
Code Review / aaf / sms.git / commitdiff