├── .gitignore
├── LICENSE.md
├── Makefile
├── README.md
├── bundle.go
├── bundle_test.go
├── cmds
    └── coffer
    │   └── main.go
├── coffer.go
├── container.go
├── fake_kms_test.go
├── fake_s3_test.go
├── files.go
├── glide.lock
├── glide.yaml
├── kms.go
├── kms_test.go
├── nacl
    ├── secretbox.go
    └── secretbox_test.go
├── s3.go
└── s3_test.go


/.gitignore:
--------------------------------------------------------------------------------
1 | testcoffer
2 | build
3 | release
4 | *.coffer
5 | testcoffer.yaml
6 | dist
7 | build
8 | vendor
9 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2015 Mark Wolfe
 2 | 
 3 | Permission is hereby granted, free of charge, to any person
 4 | obtaining a copy of this software and associated documentation
 5 | files (the "Software"), to deal in the Software without
 6 | restriction, including without limitation the rights to use,
 7 | copy, modify, merge, publish, distribute, sublicense, and/or sell
 8 | copies of the Software, and to permit persons to whom the
 9 | Software is furnished to do so, subject to the following
10 | conditions:
11 | 
12 | The above copyright notice and this permission notice shall be
13 | included in all copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
17 | OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
19 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
20 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 | FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
22 | OTHER DEALINGS IN THE SOFTWARE.
23 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | NAME=coffer
 2 | ARCH=$(shell uname -m)
 3 | VERSION=2.1.0
 4 | ITERATION := 1
 5 | 
 6 | default: deps compile
 7 | 
 8 | deps:
 9 | 	go get github.com/c4milo/github-release
10 | 	go get github.com/mitchellh/gox
11 | 	glide install
12 | 
13 | compile: deps
14 | 	@rm -rf build/
15 | 	@gox -ldflags "-X main.Version=$(VERSION)" \
16 | 	-osarch="darwin/amd64" \
17 | 	-osarch="linux/i386" \
18 | 	-osarch="linux/amd64" \
19 | 	-osarch="windows/amd64" \
20 | 	-osarch="windows/i386" \
21 | 	-output "build/{{.Dir}}_$(VERSION)_{{.OS}}_{{.Arch}}/$(NAME)" \
22 | 	$(shell glide novendor)
23 | 
24 | dist:
25 | 	$(eval FILES := $(shell ls build))
26 | 	@rm -rf dist && mkdir dist
27 | 	@for f in $(FILES); do \
28 | 		(cd $(shell pwd)/build/$$f && tar -cvzf ../../dist/$$f.tar.gz *); \
29 | 		(cd $(shell pwd)/dist && shasum -a 512 $$f.tar.gz > $$f.sha512); \
30 | 		echo $$f; \
31 | 	done
32 | 
33 | release:
34 | 	@github-release "v$(VERSION)" dist/* --commit "$(git rev-parse HEAD)" --github-repository wolfeidau/$(NAME)
35 | 
36 | test: deps
37 | 	go test -cover -v $(shell glide novendor)
38 | 
39 | clean:
40 | 	@rm -rf dist build
41 | 
42 | .PHONY: default deps clean compile dist release test


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # coffer
  2 | 
  3 | This command line tool is designed to simplify storage and retrieval of secrets in [Amazon Web Services](https://aws.amazon.com).
  4 | 
  5 | It uses the following services:
  6 | 
  7 | * [Simple Storage Service](https://aws.amazon.com/s3/) (S3) to store secrets encrypted in files
  8 | * [Key Management Service](https://aws.amazon.com/kms/) (KMS) to manage encryption keys which encrypt/decrypt your secrets
  9 | 
 10 | A typical use case for coffer is you have a docker container which needs to retrieve on startup some file based secrets and apply them prior to starting a service. This is quite common requirement with continuous integration agents running in docker containers.
 11 | 
 12 | # coffer bundle format
 13 | 
 14 | coffer uses a a YAML file file to package a bunch of files together. The format of this file is illustrated below.
 15 | 
 16 | coffer has the ability to synchronise the files described in this bundle with the filesystem, creating/updating and changing the mode of the files.
 17 | 
 18 | ```yaml
 19 | files:
 20 |   "/home/user/myfile2" :
 21 |     mode: 0755
 22 |     content: |
 23 |       # this is my file
 24 |       # with content
 25 | ```
 26 | 
 27 | # environment
 28 | 
 29 | The command reads the following environment variables.
 30 | 
 31 | * `AWS_REGION` the AWS region
 32 | * `AWS_PROFILE` the AWS profile to use
 33 | * `COFFER_ALIAS` the alias name of the file in KMS
 34 | * `S3_BUCKET` the S3 bucket which the file will be uploaded
 35 | 
 36 | # usage
 37 | 
 38 | Sub commands for this tool are:
 39 | 
 40 | * encrypt, this encrypts the coffer file.
 41 | * decrypt, this decrypts the coffer file, required at the moment if you want to edit it.
 42 | * upload, uploads the coffer to s3, ensuring that only encrypted data gets uploaded.
 43 | * download, pull down a coffer and validates it, file is only saved if it is decrypts and is valid.
 44 | * sync, sync a coffer with the file system, this creates/modifies/chmods files based on the information in the yaml.
 45 | 
 46 | # example
 47 | 
 48 | Before you start.
 49 | 
 50 | * Create a bucket in S3, I suggest something like `XXXX-coffers` in the same region as your KMS key.
 51 | * Create a KMS key see [Creating Keys](http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) with the alias `coffer`, note this needs to be in the same region as your S3 bucket.
 52 | * Make an IAM role in AWS for your servers permitting access to the S3 bucket and KMS key (see the IAM policy below).
 53 | 
 54 | Create a coffer file with some SSH keys in it.
 55 | 
 56 | ```
 57 | cat > buildkite.coffer <<EOF
 58 | files:
 59 |   "/var/lib/buildkite-agent/.ssh/id_rsa":
 60 |     mode: 0600
 61 |     content: |
 62 |         -----BEGIN RSA PRIVATE KEY-----
 63 |         XXXX
 64 |         -----END RSA PRIVATE KEY-----
 65 | EOF
 66 | ```
 67 | 
 68 | Encrypt and Upload the coffer file to S3.
 69 | 
 70 | ```
 71 | AWS_PROFILE=XXXX AWS_REGION=us-west-2 coffer --coffer-file buildkite.coffer upload --bucket="XXXX-coffers"
 72 | ```
 73 | 
 74 | # IAM Role
 75 | 
 76 | If you want to give systems permission to access your coffer key in KMS use the following role. Note you will need to grab the ARN of your key from KMS.
 77 | 
 78 | ```json
 79 | {
 80 |   "Version": "2012-10-17",
 81 |   "Statement": [
 82 |     {
 83 |       "Effect": "Allow",
 84 |       "Action": [
 85 |         "s3:Get*",
 86 |         "s3:List*"
 87 |       ],
 88 |       "Resource": [
 89 |         "arn:aws:s3:::XXXX-coffers/*"
 90 |       ]
 91 |     },
 92 |     {
 93 |       "Sid": "Allow use of the key",
 94 |       "Effect": "Allow",
 95 |       "Action": [
 96 |         "kms:Encrypt",
 97 |         "kms:Decrypt",
 98 |         "kms:ReEncrypt*",
 99 |         "kms:GenerateDataKey*",
100 |         "kms:DescribeKey"
101 |       ],
102 |       "Resource": "arn:aws:kms:us-west-2:XXXX:key/XXXX-XXXX-XXXX-XXXX-XXXX"
103 |     }
104 |   ]
105 | }
106 | ```
107 | 
108 | # KMS
109 | 
110 | You can list your key aliases using the AWS CLI.
111 | 
112 | ```
113 | aws --profile XXXX kms list-aliases
114 | ```
115 | 
116 | # encryption
117 | 
118 | This now uses `golang.org/x/crypto/nacl/secretbox` which is a great little library designed to help people do message encryption correctly.
119 | 
120 | # change log
121 | 
122 | # 2.0
123 | 
124 | * Changed file format, now uses YAML as a container for meta data and encrypted payload
125 | * Added a version and name field
126 | * Added support for KMS to remove the need for a secret
127 | 
128 | # License
129 | 
130 | This code is released under the MIT license see the LICENSE.md file for more details.
131 | 


--------------------------------------------------------------------------------
/bundle.go:
--------------------------------------------------------------------------------
 1 | package coffer
 2 | 
 3 | import (
 4 | 	"log"
 5 | 
 6 | 	"gopkg.in/yaml.v2"
 7 | )
 8 | 
 9 | // Bundle bundle of files and their related information
10 | type Bundle struct {
11 | 	Files map[string]*FileData `yaml:"files"`
12 | }
13 | 
14 | // MustValidate checks the validity of the bundle
15 | func (b *Bundle) MustValidate() {
16 | 
17 | 	for k, f := range b.Files {
18 | 		if k == "" {
19 | 			log.Fatalf("Validation failed: file name must be set for %v", f)
20 | 		}
21 | 
22 | 		f.MustValidate(k)
23 | 	}
24 | }
25 | 
26 | // FileData an encoded file with it's permissions
27 | type FileData struct {
28 | 	Mode    uint32 `yaml:"mode"`
29 | 	Owner   string `yaml:"owner"`
30 | 	Group   string `yaml:"group"`
31 | 	Content string `yaml:"content"`
32 | }
33 | 
34 | // MustValidate checks the validity of the file data structure.
35 | func (f *FileData) MustValidate(name string) {
36 | 	if f.Mode == 0 {
37 | 		log.Fatalf("Validation failed: file mode must be set for %s", name)
38 | 	}
39 | }
40 | 
41 | func mustDecodeBundle(data []byte) *Bundle {
42 | 
43 | 	var bundle *Bundle
44 | 
45 | 	err := yaml.Unmarshal(data, &bundle)
46 | 
47 | 	if err != nil {
48 | 		log.Fatalf("Unable to decode YAML data: %v", err)
49 | 	}
50 | 
51 | 	return bundle
52 | }
53 | 
54 | func mustEncodeBundle(bundle *Bundle) []byte {
55 | 
56 | 	data, err := yaml.Marshal(bundle)
57 | 	if err != nil {
58 | 		log.Fatalf("Unable to encode YAML data: %v", err)
59 | 	}
60 | 
61 | 	return data
62 | }
63 | 


--------------------------------------------------------------------------------
/bundle_test.go:
--------------------------------------------------------------------------------
 1 | package coffer
 2 | 
 3 | import (
 4 | 	"testing"
 5 | 
 6 | 	"github.com/bmizerany/assert"
 7 | 	"github.com/kr/pretty"
 8 | )
 9 | 
10 | var bundleText = []byte(`files:
11 |   /home/user/myfile2:
12 |     mode: 755
13 |     owner: root
14 |     group: root
15 |     content: |
16 |       # this is my file
17 |       # with content
18 | `)
19 | 
20 | var bundleExpected = &Bundle{
21 | 	Files: map[string]*FileData{
22 | 		"/home/user/myfile2": &FileData{
23 | 			Mode:    755,
24 | 			Owner:   "root",
25 | 			Group:   "root",
26 | 			Content: "# this is my file\n# with content\n",
27 | 		},
28 | 	},
29 | }
30 | 
31 | func TestEncodeBundle(t *testing.T) {
32 | 
33 | 	data := mustEncodeBundle(bundleExpected)
34 | 
35 | 	pretty.Printf("bundle %s\n", string(data))
36 | 
37 | 	assert.Equal(t, string(bundleText), string(data))
38 | }
39 | 
40 | func TestDecodeBundle(t *testing.T) {
41 | 
42 | 	bundle := mustDecodeBundle(bundleText)
43 | 
44 | 	pretty.Printf("bundle %+v\n", bundle)
45 | 
46 | 	bundle.MustValidate()
47 | 
48 | 	assert.Equal(t, bundle, bundleExpected)
49 | }
50 | 


--------------------------------------------------------------------------------
/cmds/coffer/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"log"
 5 | 	"os"
 6 | 
 7 | 	"github.com/alecthomas/kingpin"
 8 | 	"github.com/wolfeidau/coffer"
 9 | )
10 | 
11 | const S3BucketEnv = "S3_BUCKET"
12 | 
13 | var (
14 | 	app        = kingpin.New("coffer", "A command line tool to manage encrypted coffer files.")
15 | 	debug      = app.Flag("debug", "Enable debug mode.").Bool()
16 | 	cofferFile = app.Flag("coffer-file", "Coffer file.").Required().String()
17 | 
18 | 	// either we supply a alias
19 | 	alias = app.Flag("alias", "KMS key alias.").OverrideDefaultFromEnvar("COFFER_KEY_ALIAS").Default("alias/coffer").String()
20 | 
21 | 	// or we are using KMS
22 | 	key = app.Flag("key", "The KMS key-id of the master key to use.").OverrideDefaultFromEnvar("COFFER_KEY").String()
23 | 
24 | 	// commands
25 | 	encrypt        = app.Command("encrypt", "Encrypt the coffer file.")
26 | 	decrypt        = app.Command("decrypt", "Decrypt the coffer file.")
27 | 	sync           = app.Command("sync", "Sync the coffer file with the local filesystem.")
28 | 	base           = sync.Flag("base", "Set a base path for testing.").String()
29 | 	upload         = app.Command("upload", "Upload a bundle to s3.")
30 | 	uploadBucket   = upload.Flag("bucket", "Name of the s3 bucket").String()
31 | 	download       = app.Command("download", "Download a bundle from s3.")
32 | 	downloadBucket = download.Flag("bucket", "Name of the s3 bucket").String()
33 | 
34 | 	downloadSync       = app.Command("download-sync", "Download a bundle from s3 and sync with the local filesystem.")
35 | 	downloadSyncBucket = downloadSync.Flag("bucket", "Name of the s3 bucket").String()
36 | 	downloadSyncBase   = downloadSync.Flag("base", "Set a base path for testing.").String()
37 | 
38 | 	// Version app version updated by build script
39 | 	Version = ""
40 | )
41 | 
42 | func main() {
43 | 	app.Version(Version)
44 | 
45 | 	switch kingpin.MustParse(app.Parse(os.Args[1:])) {
46 | 	// encrypt the coffer file
47 | 	case encrypt.FullCommand():
48 | 		log.Printf("encrypt")
49 | 		coffer.MustEncrypt(*cofferFile, *alias)
50 | 	// decrypt the coffer file
51 | 	case decrypt.FullCommand():
52 | 		log.Printf("decrypt")
53 | 		coffer.MustDecrypt(*cofferFile, *alias)
54 | 	// sync the file system to the coffer file
55 | 	case sync.FullCommand():
56 | 		log.Printf("sync")
57 | 		coffer.MustSync(*cofferFile, *alias, *base)
58 | 	case upload.FullCommand():
59 | 		log.Printf("upload")
60 | 		s3Bucket := mustValidateBucketName(*uploadBucket)
61 | 		coffer.MustUpload(*cofferFile, *alias, s3Bucket)
62 | 	case download.FullCommand():
63 | 		log.Printf("download")
64 | 		s3Bucket := mustValidateBucketName(*downloadBucket)
65 | 		coffer.MustDownload(*cofferFile, *alias, s3Bucket)
66 | 	case downloadSync.FullCommand():
67 | 		log.Printf("download-sync")
68 | 		s3Bucket := mustValidateBucketName(*downloadSyncBucket)
69 | 		coffer.MustDownloadSync(*cofferFile, *alias, s3Bucket, *downloadSyncBase)
70 | 	}
71 | }
72 | 
73 | func mustValidateBucketName(bucket string) string {
74 | 	if bucket != "" {
75 | 		return bucket
76 | 	}
77 | 
78 | 	s3Bucket := os.Getenv(S3BucketEnv)
79 | 
80 | 	if s3Bucket == "" {
81 | 		log.Fatalf("--bucket s3 bucket name is required")
82 | 	}
83 | 
84 | 	return s3Bucket
85 | }
86 | 


--------------------------------------------------------------------------------
/coffer.go:
--------------------------------------------------------------------------------
  1 | package coffer
  2 | 
  3 | import (
  4 | 	"encoding/base64"
  5 | 	"log"
  6 | 	"os"
  7 | 	"path"
  8 | 
  9 | 	"github.com/wolfeidau/coffer/nacl"
 10 | )
 11 | 
 12 | var (
 13 | 	// CofferBlockSize size of the key
 14 | 	CofferBlockSize = 32
 15 | 	// OwnerRead is the default mode set for new coffer files, note the octal number
 16 | 	OwnerRead = os.FileMode(0600)
 17 | 	// Version the version of the coffer file
 18 | 	Version = "2.0.0"
 19 | )
 20 | 
 21 | // MustEncrypt encrypt the supplied file
 22 | func MustEncrypt(cofferFile, alias string) {
 23 | 
 24 | 	data := mustReadFile(cofferFile)
 25 | 
 26 | 	payload := mustEncryptPayload(data, alias)
 27 | 
 28 | 	mustWriteFile(cofferFile, payload, OwnerRead)
 29 | }
 30 | 
 31 | // MustDecrypt decrypt the supplied file
 32 | func MustDecrypt(cofferFile, alias string) []byte {
 33 | 
 34 | 	data := mustReadFile(cofferFile)
 35 | 
 36 | 	payload := mustDecryptPayload(data, alias)
 37 | 
 38 | 	return mustWriteFile(cofferFile, payload, OwnerRead)
 39 | 
 40 | }
 41 | 
 42 | // MustSync sync the file up to S3
 43 | func MustSync(cofferFile, alias, base string) {
 44 | 
 45 | 	// base not set
 46 | 	if base == "" {
 47 | 		base = "/" // set the base directory to '/'
 48 | 	}
 49 | 
 50 | 	payload := mustReadFile(cofferFile)
 51 | 
 52 | 	// if the coffer file is encrypted, decrypt it
 53 | 	if isEncrypted(payload) {
 54 | 		payload = mustDecryptPayload(payload, alias)
 55 | 	}
 56 | 
 57 | 	bundle := mustDecodeBundle(payload)
 58 | 
 59 | 	bundle.MustValidate()
 60 | 
 61 | 	mustExtractBundle(bundle, base)
 62 | }
 63 | 
 64 | // MustUpload upload the file to the supplied s3 bucket
 65 | func MustUpload(cofferFile, alias, bucket string) {
 66 | 
 67 | 	payload := mustReadFile(cofferFile)
 68 | 
 69 | 	// if the coffer is not encrypted
 70 | 	if !isEncrypted(payload) {
 71 | 		payload = mustEncryptPayload(payload, alias)
 72 | 	}
 73 | 
 74 | 	filename := path.Base(cofferFile)
 75 | 
 76 | 	mustUpload(bucket, filename, payload)
 77 | }
 78 | 
 79 | // MustDownload download the file from the supplied s3 bucket
 80 | func MustDownload(cofferFile, alias, bucket string) {
 81 | 
 82 | 	filename := path.Base(cofferFile)
 83 | 
 84 | 	payload := mustDownload(bucket, filename)
 85 | 
 86 | 	mustWriteFile(cofferFile, payload, OwnerRead)
 87 | }
 88 | 
 89 | // MustDownloadSync download the file from the supplied s3 bucket and sync
 90 | // it to the filesystem
 91 | func MustDownloadSync(cofferFile, alias, bucket, base string) {
 92 | 
 93 | 	// base not set
 94 | 	if base == "" {
 95 | 		base = "/" // set the base directory to '/'
 96 | 	}
 97 | 
 98 | 	filename := path.Base(cofferFile)
 99 | 
100 | 	payload := mustDownload(bucket, filename)
101 | 
102 | 	// if the coffer file is encrypted, decrypt it
103 | 	if isEncrypted(payload) {
104 | 		payload = mustDecryptPayload(payload, alias)
105 | 	}
106 | 
107 | 	bundle := mustDecodeBundle(payload)
108 | 
109 | 	bundle.MustValidate()
110 | 
111 | 	mustExtractBundle(bundle, base)
112 | }
113 | 
114 | func isEncrypted(data []byte) bool {
115 | 
116 | 	coffer, err := DecodeCoffer(data)
117 | 
118 | 	if err != nil {
119 | 		return false
120 | 	}
121 | 
122 | 	return coffer.Validate()
123 | }
124 | 
125 | func mustEncryptPayload(data []byte, alias string) []byte {
126 | 
127 | 	if isEncrypted(data) {
128 | 		log.Fatalf("coffer file already encrypted")
129 | 	}
130 | 
131 | 	key := mustGenerateDataKey(alias)
132 | 
133 | 	payload := nacl.Encrypt(data, key.Plaintext)
134 | 	cipherText := base64.StdEncoding.EncodeToString(payload)
135 | 	keyCipherText := base64.StdEncoding.EncodeToString(key.CiphertextBlob)
136 | 
137 | 	log.Printf("encoded data len: %d", len(cipherText))
138 | 
139 | 	return mustEncodeCoffer(&Coffer{
140 | 		Key:        keyCipherText,
141 | 		Version:    Version,
142 | 		CipherText: cipherText,
143 | 	})
144 | }
145 | 
146 | func mustDecryptPayload(data []byte, alias string) []byte {
147 | 
148 | 	coffer, err := DecodeCoffer(data)
149 | 
150 | 	if err != nil {
151 | 		log.Fatalf("unable to decode coffer")
152 | 	}
153 | 
154 | 	if coffer.Validate() {
155 | 
156 | 		keyData, err := base64.StdEncoding.DecodeString(coffer.Key)
157 | 
158 | 		if err != nil {
159 | 			log.Fatalf("unable to decode key")
160 | 		}
161 | 
162 | 		key := mustDecrypt(keyData)
163 | 
164 | 		decoded, err := base64.StdEncoding.DecodeString(coffer.CipherText)
165 | 
166 | 		if err != nil {
167 | 			log.Fatalf("coffer file could not be decoded")
168 | 		}
169 | 
170 | 		log.Printf("decoded data len: %d", len(decoded))
171 | 		return nacl.Decrypt(decoded, key.Plaintext)
172 | 	}
173 | 
174 | 	log.Fatalf("invalid coffer file, unable to decrypt")
175 | 
176 | 	return []byte{}
177 | }
178 | 


--------------------------------------------------------------------------------
/container.go:
--------------------------------------------------------------------------------
 1 | package coffer
 2 | 
 3 | import (
 4 | 	"log"
 5 | 
 6 | 	"gopkg.in/yaml.v2"
 7 | )
 8 | 
 9 | // Coffer used as the container for an encrypted coffer
10 | type Coffer struct {
11 | 	Name       string `yaml:"name,omitempty"`
12 | 	Version    string `yaml:"version,omitempty"`
13 | 	Key        string `yaml:"key,omitempty"`
14 | 	CipherText string `yaml:"ct,omitempty"`
15 | }
16 | 
17 | // Validate checks the validity of the coffer
18 | func (c *Coffer) Validate() bool {
19 | 
20 | 	if len(c.Version) == 0 {
21 | 		return false
22 | 	}
23 | 
24 | 	if len(c.CipherText) == 0 {
25 | 		return false
26 | 	}
27 | 
28 | 	return true
29 | }
30 | 
31 | // DecodeCoffer decode the coffer file
32 | func DecodeCoffer(data []byte) (coffer *Coffer, err error) {
33 | 
34 | 	err = yaml.Unmarshal(data, &coffer)
35 | 
36 | 	if err != nil {
37 | 		return
38 | 	}
39 | 
40 | 	return
41 | }
42 | 
43 | func mustEncodeCoffer(coffer *Coffer) []byte {
44 | 
45 | 	data, err := yaml.Marshal(coffer)
46 | 	if err != nil {
47 | 		log.Fatalf("Unable to encode YAML data: %v", err)
48 | 	}
49 | 
50 | 	return data
51 | }
52 | 


--------------------------------------------------------------------------------
/fake_kms_test.go:
--------------------------------------------------------------------------------
 1 | package coffer
 2 | 
 3 | import "github.com/aws/aws-sdk-go/service/kms"
 4 | 
 5 | type FakeKMS struct {
 6 | 	GenerateInputs  []kms.GenerateDataKeyInput
 7 | 	GenerateOutputs []kms.GenerateDataKeyOutput
 8 | 
 9 | 	DecryptInputs  []kms.DecryptInput
10 | 	DecryptOutputs []kms.DecryptOutput
11 | }
12 | 
13 | func (f *FakeKMS) GenerateDataKey(req *kms.GenerateDataKeyInput) (*kms.GenerateDataKeyOutput, error) {
14 | 	f.GenerateInputs = append(f.GenerateInputs, *req)
15 | 	resp := f.GenerateOutputs[0]
16 | 	f.GenerateOutputs = f.GenerateOutputs[1:]
17 | 	return &resp, nil
18 | }
19 | 
20 | func (f *FakeKMS) Decrypt(req *kms.DecryptInput) (*kms.DecryptOutput, error) {
21 | 	f.DecryptInputs = append(f.DecryptInputs, *req)
22 | 	resp := f.DecryptOutputs[0]
23 | 	f.DecryptOutputs = f.DecryptOutputs[1:]
24 | 	return &resp, nil
25 | }
26 | 


--------------------------------------------------------------------------------
/fake_s3_test.go:
--------------------------------------------------------------------------------
 1 | package coffer
 2 | 
 3 | import "github.com/aws/aws-sdk-go/service/s3"
 4 | 
 5 | type FakeS3 struct {
 6 | 	ListInputs  []s3.ListObjectsInput
 7 | 	ListOutputs []s3.ListObjectsOutput
 8 | 
 9 | 	DeleteInputs  []s3.DeleteObjectInput
10 | 	DeleteOutputs []s3.DeleteObjectOutput
11 | 
12 | 	PutInputs  []s3.PutObjectInput
13 | 	PutOutputs []s3.PutObjectOutput
14 | 
15 | 	GetInputs  []s3.GetObjectInput
16 | 	GetOutputs []s3.GetObjectOutput
17 | }
18 | 
19 | func (f *FakeS3) ListObjects(req *s3.ListObjectsInput) (*s3.ListObjectsOutput, error) {
20 | 	f.ListInputs = append(f.ListInputs, *req)
21 | 	resp := f.ListOutputs[0]
22 | 	f.ListOutputs = f.ListOutputs[1:]
23 | 	return &resp, nil
24 | }
25 | 
26 | func (f *FakeS3) DeleteObject(req *s3.DeleteObjectInput) (*s3.DeleteObjectOutput, error) {
27 | 	f.DeleteInputs = append(f.DeleteInputs, *req)
28 | 	resp := f.DeleteOutputs[0]
29 | 	f.DeleteOutputs = f.DeleteOutputs[1:]
30 | 	return &resp, nil
31 | }
32 | 
33 | func (f *FakeS3) PutObject(req *s3.PutObjectInput) (*s3.PutObjectOutput, error) {
34 | 	f.PutInputs = append(f.PutInputs, *req)
35 | 	resp := f.PutOutputs[0]
36 | 	f.PutOutputs = f.PutOutputs[1:]
37 | 	return &resp, nil
38 | }
39 | 
40 | func (f *FakeS3) GetObject(req *s3.GetObjectInput) (*s3.GetObjectOutput, error) {
41 | 	f.GetInputs = append(f.GetInputs, *req)
42 | 	resp := f.GetOutputs[0]
43 | 	f.GetOutputs = f.GetOutputs[1:]
44 | 	return &resp, nil
45 | }
46 | 


--------------------------------------------------------------------------------
/files.go:
--------------------------------------------------------------------------------
 1 | package coffer
 2 | 
 3 | import (
 4 | 	"io/ioutil"
 5 | 	"log"
 6 | 	"os"
 7 | 	"path"
 8 | )
 9 | 
10 | func mustExtractBundle(bundle *Bundle, base string) {
11 | 
12 | 	log.Printf("extracting bundle to %s", base)
13 | 
14 | 	// if the base path is set then use this as the base for all creation
15 | 	if base != "" {
16 | 		for k, f := range bundle.Files {
17 | 			rpath := path.Join(base, k)
18 | 
19 | 			mustMkDirAll(path.Dir(rpath))
20 | 			mustWriteFile(rpath, []byte(f.Content), os.FileMode(f.Mode))
21 | 		}
22 | 	}
23 | }
24 | 
25 | func mustReadFile(path string) []byte {
26 | 
27 | 	data, err := ioutil.ReadFile(path)
28 | 	if err != nil {
29 | 		log.Fatalf("Unable to open file: %v", err)
30 | 	}
31 | 	return data
32 | }
33 | 
34 | func mustWriteFile(path string, data []byte, mode os.FileMode) []byte {
35 | 
36 | 	log.Printf("WriteFile %s", path)
37 | 
38 | 	err := ioutil.WriteFile(path, data, mode)
39 | 	if err != nil {
40 | 		log.Fatalf("Unable to open file: %v", err)
41 | 	}
42 | 
43 | 	// ensure the mode is set even when we haven't modified the file.
44 | 	os.Chmod(path, mode)
45 | 
46 | 	return data
47 | }
48 | 
49 | func mustMkDirAll(rpath string) {
50 | 	log.Printf("MkDirAll %s", rpath)
51 | 
52 | 	err := os.MkdirAll(rpath, 0755)
53 | 	if err != nil {
54 | 		log.Fatalf("failed to create any necessary parents: %v", err)
55 | 	}
56 | }
57 | 


--------------------------------------------------------------------------------
/glide.lock:
--------------------------------------------------------------------------------
 1 | hash: 87b578904562837e90c32548a894b171d3364e1f4639819d9c09ccf63d303de1
 2 | updated: 2016-12-23T10:49:47.399063611+11:00
 3 | imports:
 4 | - name: github.com/alecthomas/kingpin
 5 |   version: d2d8a9115b36a531781f0ed3c57bcba202976150
 6 | - name: github.com/alecthomas/template
 7 |   version: a0175ee3bccc567396460bf5acd36800cb10c49c
 8 |   subpackages:
 9 |   - parse
10 | - name: github.com/alecthomas/units
11 |   version: 2efee857e7cfd4f3d0138cc3cbb1b4966962b93a
12 | - name: github.com/aws/aws-sdk-go
13 |   version: 2c129c11a732646f1411de34ad4833f50503f344
14 |   subpackages:
15 |   - aws
16 |   - aws/awserr
17 |   - aws/awsutil
18 |   - aws/client
19 |   - aws/client/metadata
20 |   - aws/corehandlers
21 |   - aws/credentials
22 |   - aws/credentials/ec2rolecreds
23 |   - aws/credentials/endpointcreds
24 |   - aws/credentials/stscreds
25 |   - aws/defaults
26 |   - aws/ec2metadata
27 |   - aws/request
28 |   - aws/session
29 |   - aws/signer/v4
30 |   - private/endpoints
31 |   - private/protocol
32 |   - private/protocol/json/jsonutil
33 |   - private/protocol/jsonrpc
34 |   - private/protocol/query
35 |   - private/protocol/query/queryutil
36 |   - private/protocol/rest
37 |   - private/protocol/restxml
38 |   - private/protocol/xml/xmlutil
39 |   - private/waiter
40 |   - service/kms
41 |   - service/s3
42 |   - service/sts
43 | - name: github.com/go-ini/ini
44 |   version: 6e4869b434bd001f6983749881c7ead3545887d8
45 | - name: github.com/jmespath/go-jmespath
46 |   version: bd40a432e4c76585ef6b72d3fd96fb9b6dc7b68d
47 | - name: golang.org/x/crypto
48 |   version: aa2481cbfe81d911eb62b642b7a6b5ec58bbea71
49 |   subpackages:
50 |   - nacl/secretbox
51 |   - poly1305
52 |   - salsa20/salsa
53 | - name: gopkg.in/yaml.v2
54 |   version: a5b47d31c556af34a302ce5d659e6fea44d90de0
55 | testImports:
56 | - name: github.com/bmizerany/assert
57 |   version: b7ed37b82869576c289d7d97fb2bbd8b64a0cb28
58 | - name: github.com/kr/pretty
59 |   version: cfb55aafdaf3ec08f0db22699ab822c50091b1c4
60 | - name: github.com/kr/text
61 |   version: 7cafcd837844e784b526369c9bce262804aebc60
62 | 


--------------------------------------------------------------------------------
/glide.yaml:
--------------------------------------------------------------------------------
 1 | package: github.com/wolfeidau/coffer
 2 | import:
 3 | - package: github.com/alecthomas/kingpin
 4 | - package: github.com/aws/aws-sdk-go
 5 |   subpackages:
 6 |   - aws
 7 |   - aws/awserr
 8 |   - aws/session
 9 |   - service/kms
10 |   - service/s3
11 | - package: golang.org/x/crypto
12 |   subpackages:
13 |   - nacl/secretbox
14 | - package: gopkg.in/yaml.v2
15 | testImport:
16 | - package: github.com/bmizerany/assert
17 | - package: github.com/kr/pretty
18 | 


--------------------------------------------------------------------------------
/kms.go:
--------------------------------------------------------------------------------
 1 | package coffer
 2 | 
 3 | import (
 4 | 	"log"
 5 | 
 6 | 	"github.com/aws/aws-sdk-go/aws"
 7 | 	"github.com/aws/aws-sdk-go/aws/session"
 8 | 	"github.com/aws/aws-sdk-go/service/kms"
 9 | )
10 | 
11 | // KeyManagement is a sub-set of the capabilities of the KMS client.
12 | type KeyManagement interface {
13 | 	GenerateDataKey(*kms.GenerateDataKeyInput) (*kms.GenerateDataKeyOutput, error)
14 | 	Decrypt(*kms.DecryptInput) (*kms.DecryptOutput, error)
15 | }
16 | 
17 | var kmsSvc KeyManagement
18 | 
19 | func init() {
20 | 	kmsSvc = kms.New(session.New())
21 | }
22 | 
23 | // DataKey which contains the details of the KMS key
24 | type DataKey struct {
25 | 	CiphertextBlob []byte
26 | 	Plaintext      []byte
27 | }
28 | 
29 | func mustDecrypt(ciphertext []byte) *DataKey {
30 | 
31 | 	log.Printf("decrypting data using KMS")
32 | 
33 | 	params := &kms.DecryptInput{
34 | 		CiphertextBlob:    ciphertext,
35 | 		EncryptionContext: map[string]*string{},
36 | 		GrantTokens:       []*string{},
37 | 	}
38 | 	resp, err := kmsSvc.Decrypt(params)
39 | 
40 | 	if err != nil {
41 | 		log.Fatalf("kms error: %s", err.Error())
42 | 	}
43 | 
44 | 	return &DataKey{
45 | 		CiphertextBlob: ciphertext,
46 | 		Plaintext:      resp.Plaintext, // transfer the plain text key after decryption
47 | 	}
48 | }
49 | 
50 | func mustGenerateDataKey(alias string) *DataKey {
51 | 
52 | 	params := &kms.GenerateDataKeyInput{
53 | 		KeyId:             aws.String(alias),
54 | 		EncryptionContext: map[string]*string{},
55 | 		GrantTokens:       []*string{},
56 | 		NumberOfBytes:     aws.Int64(64),
57 | 	}
58 | 
59 | 	resp, err := kmsSvc.GenerateDataKey(params)
60 | 
61 | 	if err != nil {
62 | 		log.Fatalf("kms error: %s", err.Error())
63 | 	}
64 | 
65 | 	return &DataKey{
66 | 		CiphertextBlob: resp.CiphertextBlob,
67 | 		Plaintext:      resp.Plaintext[:32], // just return 32 bytes for the key
68 | 	}
69 | }
70 | 


--------------------------------------------------------------------------------
/kms_test.go:
--------------------------------------------------------------------------------
 1 | package coffer
 2 | 
 3 | import (
 4 | 	"testing"
 5 | 
 6 | 	"github.com/aws/aws-sdk-go/aws"
 7 | 	"github.com/aws/aws-sdk-go/service/kms"
 8 | 	"github.com/bmizerany/assert"
 9 | 	"github.com/kr/pretty"
10 | )
11 | 
12 | func TestGenerateDataKey(t *testing.T) {
13 | 
14 | 	fakeKMS := &FakeKMS{
15 | 		GenerateOutputs: []kms.GenerateDataKeyOutput{
16 | 			{
17 | 				CiphertextBlob: []byte("yay"),
18 | 				KeyId:          aws.String("coffer"),
19 | 				Plaintext:      make([]byte, 32),
20 | 			},
21 | 		},
22 | 		DecryptOutputs: []kms.DecryptOutput{
23 | 			{
24 | 				KeyId:     aws.String("key1"),
25 | 				Plaintext: make([]byte, 32),
26 | 			},
27 | 		},
28 | 	}
29 | 
30 | 	kmsSvc = fakeKMS
31 | 
32 | 	dataKey := mustGenerateDataKey("coffer")
33 | 
34 | 	pretty.Printf("dataKey %+v\n", dataKey)
35 | 
36 | 	assert.Equal(t, []byte("yay"), dataKey.CiphertextBlob)
37 | 	assert.Equal(t, make([]byte, 32), dataKey.Plaintext)
38 | }
39 | 
40 | func TestEncrypt(t *testing.T) {
41 | 
42 | 	fakeKMS := &FakeKMS{
43 | 		GenerateOutputs: []kms.GenerateDataKeyOutput{
44 | 			{
45 | 				CiphertextBlob: []byte("yay"),
46 | 				KeyId:          aws.String("coffer"),
47 | 				Plaintext:      make([]byte, 32),
48 | 			},
49 | 		},
50 | 		DecryptOutputs: []kms.DecryptOutput{
51 | 			{
52 | 				KeyId:     aws.String("coffer"),
53 | 				Plaintext: make([]byte, 32),
54 | 			},
55 | 		},
56 | 	}
57 | 
58 | 	kmsSvc = fakeKMS
59 | 
60 | 	ciphertext := make([]byte, 24)
61 | 
62 | 	dataKey := mustDecrypt(ciphertext)
63 | 
64 | 	assert.Equal(t, make([]byte, 32), dataKey.Plaintext)
65 | 
66 | }
67 | 


--------------------------------------------------------------------------------
/nacl/secretbox.go:
--------------------------------------------------------------------------------
 1 | package nacl
 2 | 
 3 | import (
 4 | 	"crypto/rand"
 5 | 	"log"
 6 | 
 7 | 	"golang.org/x/crypto/nacl/secretbox"
 8 | )
 9 | 
10 | // Decrypt basic wrapper around secretbox which will decrypt a box
11 | // using ct which is comprised of a nonce followed by the box.
12 | func Decrypt(ct, key []byte) []byte {
13 | 
14 | 	mustValidateKey(key)
15 | 
16 | 	var k [32]byte
17 | 	var nonce [24]byte
18 | 	var opened []byte
19 | 
20 | 	// extract the nonce from the start of the message
21 | 	copy(nonce[:], ct[:24])
22 | 
23 | 	copy(k[:], key[:32])
24 | 
25 | 	// out, box, nonce, key
26 | 	var ok bool
27 | 	opened, ok = secretbox.Open(opened[:0], ct[24:], &nonce, &k)
28 | 
29 | 	if !ok {
30 | 		log.Fatalln("Failed to decrypt data")
31 | 	}
32 | 
33 | 	return opened
34 | }
35 | 
36 | // Encrypt basic wrapper around secretbox which will encrypt a plain text
37 | // and return a message comprised of the nonce followed by the encrypted box.
38 | func Encrypt(plaintext, key []byte) []byte {
39 | 
40 | 	mustValidateKey(key)
41 | 
42 | 	var k [32]byte
43 | 	var nonce [24]byte
44 | 	var box []byte
45 | 
46 | 	// must be unique for each encrypt
47 | 	rand.Reader.Read(nonce[:])
48 | 	copy(k[:], key[:32])
49 | 
50 | 	// out, message, nonce, key
51 | 	box = secretbox.Seal(box[:0], plaintext, &nonce, &k)
52 | 
53 | 	// add the nonce to the start of the message
54 | 	box = append(nonce[:], box...)
55 | 
56 | 	return box
57 | }
58 | 
59 | func mustValidateKey(key []byte) {
60 | 	if len(key) < 32 {
61 | 		log.Fatalln("Key validatation failed, must be 32 bytes long")
62 | 	}
63 | }
64 | 


--------------------------------------------------------------------------------
/nacl/secretbox_test.go:
--------------------------------------------------------------------------------
 1 | package nacl
 2 | 
 3 | import (
 4 | 	"crypto/rand"
 5 | 	"testing"
 6 | 
 7 | 	"github.com/bmizerany/assert"
 8 | )
 9 | 
10 | var msg = []byte(`
11 | test
12 | test
13 | test
14 | `)
15 | 
16 | func TestEncryptions(t *testing.T) {
17 | 
18 | 	var key [32]byte
19 | 	var nonce [24]byte
20 | 
21 | 	rand.Reader.Read(key[:])
22 | 	rand.Reader.Read(nonce[:])
23 | 
24 | 	enc := Encrypt(msg, key[:])
25 | 
26 | 	dec := Decrypt(enc, key[:])
27 | 
28 | 	assert.Equal(t, msg, dec)
29 | }
30 | 


--------------------------------------------------------------------------------
/s3.go:
--------------------------------------------------------------------------------
 1 | package coffer
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"io"
 6 | 	"log"
 7 | 
 8 | 	"github.com/aws/aws-sdk-go/aws"
 9 | 	"github.com/aws/aws-sdk-go/aws/awserr"
10 | 	"github.com/aws/aws-sdk-go/aws/session"
11 | 	"github.com/aws/aws-sdk-go/service/s3"
12 | )
13 | 
14 | // ObjectStorage is a sub-set of the capabilities of the S3 client.
15 | type ObjectStorage interface {
16 | 	ListObjects(*s3.ListObjectsInput) (*s3.ListObjectsOutput, error)
17 | 	DeleteObject(*s3.DeleteObjectInput) (*s3.DeleteObjectOutput, error)
18 | 	PutObject(*s3.PutObjectInput) (*s3.PutObjectOutput, error)
19 | 	GetObject(*s3.GetObjectInput) (*s3.GetObjectOutput, error)
20 | }
21 | 
22 | var s3Svc ObjectStorage
23 | 
24 | func init() {
25 | 	s3Svc = s3.New(session.New())
26 | }
27 | 
28 | func mustUpload(bucket string, filename string, payload []byte) {
29 | 
30 | 	log.Printf("putting file=%s into bucket=%s length=%d", filename, bucket, len(payload))
31 | 
32 | 	params := &s3.PutObjectInput{
33 | 		Bucket:               aws.String(bucket),   // Required
34 | 		Key:                  aws.String(filename), // Required
35 | 		Body:                 bytes.NewReader(payload),
36 | 		ContentLength:        aws.Int64(int64(len(payload))),
37 | 		ServerSideEncryption: aws.String(s3.ServerSideEncryptionAes256),
38 | 	}
39 | 
40 | 	resp, err := s3Svc.PutObject(params)
41 | 
42 | 	if err != nil {
43 | 		if awsErr, ok := err.(awserr.Error); ok {
44 | 			// A service error occurred.
45 | 			log.Fatalf("AWS Error code: %v message: %s", awsErr.Code(), awsErr.Message())
46 | 		}
47 | 		// A non-service error occurred.
48 | 		log.Fatalf("Error make request to AWS: %v", err)
49 | 	}
50 | 
51 | 	// Pretty-print the response data.
52 | 	log.Printf("response %vs", resp)
53 | 
54 | }
55 | 
56 | func mustDownload(bucket string, filename string) []byte {
57 | 
58 | 	log.Printf("getting file=%s from bucket=%s", filename, bucket)
59 | 
60 | 	params := &s3.GetObjectInput{
61 | 		Bucket: aws.String(bucket),   // Required
62 | 		Key:    aws.String(filename), // Required
63 | 	}
64 | 
65 | 	resp, err := s3Svc.GetObject(params)
66 | 
67 | 	if err != nil {
68 | 		if awsErr, ok := err.(awserr.Error); ok {
69 | 			// A service error occurred.
70 | 			log.Fatalf("AWS Error code: %v message: %s", awsErr.Code(), awsErr.Message())
71 | 		}
72 | 		// A non-service error occurred.
73 | 		log.Fatalf("Error make request to AWS: %v", err)
74 | 	}
75 | 
76 | 	defer resp.Body.Close()
77 | 
78 | 	payload := new(bytes.Buffer)
79 | 
80 | 	io.Copy(payload, resp.Body)
81 | 
82 | 	// Pretty-print the response data.
83 | 	log.Printf("response %v", resp)
84 | 
85 | 	return payload.Bytes()
86 | }
87 | 


--------------------------------------------------------------------------------
/s3_test.go:
--------------------------------------------------------------------------------
 1 | package coffer
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"io/ioutil"
 6 | 	"testing"
 7 | 
 8 | 	"github.com/aws/aws-sdk-go/service/s3"
 9 | 	"github.com/bmizerany/assert"
10 | )
11 | 
12 | func TestUpload(t *testing.T) {
13 | 	fakeS3 := &FakeS3{
14 | 		PutOutputs: []s3.PutObjectOutput{
15 | 			{},
16 | 			{},
17 | 		},
18 | 	}
19 | 
20 | 	s3Svc = fakeS3
21 | 
22 | 	mustUpload("mybucket", "test.coffer", make([]byte, 32))
23 | }
24 | 
25 | func TestDownload(t *testing.T) {
26 | 
27 | 	ciphertext := []byte{0xa1, 0xb2, 0xc3, 0xd4}
28 | 
29 | 	fakeS3 := &FakeS3{
30 | 		GetOutputs: []s3.GetObjectOutput{
31 | 			{
32 | 				Body: ioutil.NopCloser(bytes.NewReader(ciphertext)),
33 | 			},
34 | 		},
35 | 	}
36 | 
37 | 	s3Svc = fakeS3
38 | 
39 | 	payload := mustDownload("mybucket", "test.coffer")
40 | 
41 | 	assert.Equal(t, []byte{0xa1, 0xb2, 0xc3, 0xd4}, payload)
42 | }
43 | 


--------------------------------------------------------------------------------