Compare commits
3 Commits
main
..
78d4d4f121
| Author | SHA1 | Date | |
|---|---|---|---|
| 78d4d4f121 | |||
| 720d433fd9 | |||
| c0c2c4afdf |
Generated
+388
-158
File diff suppressed because it is too large
Load Diff
+1
-2
@@ -1,6 +1,6 @@
|
|||||||
[package]
|
[package]
|
||||||
name = "dkl"
|
name = "dkl"
|
||||||
version = "1.2.1"
|
version = "1.2.2"
|
||||||
edition = "2024"
|
edition = "2024"
|
||||||
|
|
||||||
[profile.release]
|
[profile.release]
|
||||||
@@ -23,7 +23,6 @@ eyre = "0.6.12"
|
|||||||
fastrand = "2.3.0"
|
fastrand = "2.3.0"
|
||||||
futures = "0.3.31"
|
futures = "0.3.31"
|
||||||
futures-util = "0.3.31"
|
futures-util = "0.3.31"
|
||||||
getrandom = "0.4.2"
|
|
||||||
glob = "0.3.2"
|
glob = "0.3.2"
|
||||||
hex = "0.4.3"
|
hex = "0.4.3"
|
||||||
human-units = "0.5.3"
|
human-units = "0.5.3"
|
||||||
|
|||||||
+43
-13
@@ -3,12 +3,12 @@ use log::info;
|
|||||||
use std::path::Path;
|
use std::path::Path;
|
||||||
use tokio::fs;
|
use tokio::fs;
|
||||||
|
|
||||||
use crate::File;
|
use crate::{base64_decode, File};
|
||||||
|
|
||||||
pub async fn files(files: &[File], root: &str, dry_run: bool) -> Result<()> {
|
pub async fn files(files: &[File], root: &str, dry_run: bool) -> Result<()> {
|
||||||
for f in files {
|
for f in files {
|
||||||
if let Err(e) = file(f, root, dry_run).await {
|
if let Err(e) = file(f, root, dry_run).await {
|
||||||
return Err(format_err!("{}: {e}", f.path));
|
return Err(format_err!("{}: {e}", f.path))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Ok(())
|
Ok(())
|
||||||
@@ -22,21 +22,51 @@ pub async fn file(file: &File, root: &str, dry_run: bool) -> Result<()> {
|
|||||||
fs::create_dir_all(parent).await?;
|
fs::create_dir_all(parent).await?;
|
||||||
}
|
}
|
||||||
|
|
||||||
let kind = file.kind();
|
use crate::{FileKind as K, FilePart as P};
|
||||||
let content = kind.content()?;
|
match file.kind().as_ref() {
|
||||||
|
|
||||||
use crate::FileKind as K;
|
|
||||||
match kind.as_ref() {
|
|
||||||
K::Skip => {
|
K::Skip => {
|
||||||
info!("{}: kind is skip", file.path);
|
info!("{}: kind is skip", file.path);
|
||||||
return Ok(());
|
return Ok(())
|
||||||
}
|
},
|
||||||
K::Content(_) | K::Content64(_) | K::Parts(_) => {
|
K::Content(content) => {
|
||||||
let content = content.expect("this file kind should have content");
|
|
||||||
if dry_run {
|
if dry_run {
|
||||||
info!("would create {} ({} bytes)", file.path, content.len());
|
info!(
|
||||||
|
"would create {} ({} bytes from content)",
|
||||||
|
file.path,
|
||||||
|
content.len()
|
||||||
|
);
|
||||||
} else {
|
} else {
|
||||||
fs::write(path, &content).await?;
|
fs::write(path, content.as_bytes()).await?;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
K::Content64(content) => {
|
||||||
|
let content = base64_decode(content)?;
|
||||||
|
if dry_run {
|
||||||
|
info!(
|
||||||
|
"would create {} ({} bytes from content64)",
|
||||||
|
file.path,
|
||||||
|
content.len()
|
||||||
|
);
|
||||||
|
} else {
|
||||||
|
fs::write(path, content).await?
|
||||||
|
}
|
||||||
|
}
|
||||||
|
K::Parts(parts) => {
|
||||||
|
let mut assembly = Vec::new();
|
||||||
|
for part in parts {
|
||||||
|
match part {
|
||||||
|
P::Content(content) => assembly.extend(content.as_bytes()),
|
||||||
|
P::Content64(content) => assembly.extend(base64_decode(content)?),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if dry_run {
|
||||||
|
info!(
|
||||||
|
"would create {} ({} bytes from parts)",
|
||||||
|
file.path,
|
||||||
|
assembly.len()
|
||||||
|
);
|
||||||
|
} else {
|
||||||
|
fs::write(path, assembly).await?
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
K::Dir => {
|
K::Dir => {
|
||||||
|
|||||||
+1
-1
@@ -1,5 +1,5 @@
|
|||||||
use clap::{CommandFactory, Parser, Subcommand};
|
use clap::{CommandFactory, Parser, Subcommand};
|
||||||
use eyre::{Result, format_err};
|
use eyre::{format_err, Result};
|
||||||
use human_units::Duration;
|
use human_units::Duration;
|
||||||
use log::{debug, error};
|
use log::{debug, error};
|
||||||
use std::net::SocketAddr;
|
use std::net::SocketAddr;
|
||||||
|
|||||||
@@ -3,7 +3,6 @@ use clap::{CommandFactory, Parser, Subcommand};
|
|||||||
use eyre::format_err;
|
use eyre::format_err;
|
||||||
use futures_util::Stream;
|
use futures_util::Stream;
|
||||||
use futures_util::StreamExt;
|
use futures_util::StreamExt;
|
||||||
use std::path::PathBuf;
|
|
||||||
use std::time::{Duration, SystemTime};
|
use std::time::{Duration, SystemTime};
|
||||||
use tokio::fs;
|
use tokio::fs;
|
||||||
use tokio::io::{AsyncWrite, AsyncWriteExt};
|
use tokio::io::{AsyncWrite, AsyncWriteExt};
|
||||||
@@ -22,8 +21,6 @@ struct Cli {
|
|||||||
|
|
||||||
#[derive(Subcommand)]
|
#[derive(Subcommand)]
|
||||||
enum Command {
|
enum Command {
|
||||||
#[command(subcommand)]
|
|
||||||
Config(Config),
|
|
||||||
Clusters,
|
Clusters,
|
||||||
Cluster {
|
Cluster {
|
||||||
cluster: String,
|
cluster: String,
|
||||||
@@ -43,16 +40,6 @@ enum Command {
|
|||||||
Hash {
|
Hash {
|
||||||
salt: String,
|
salt: String,
|
||||||
},
|
},
|
||||||
Store {
|
|
||||||
store_path: PathBuf,
|
|
||||||
#[command(subcommand)]
|
|
||||||
op: StoreOp,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
#[derive(Subcommand)]
|
|
||||||
enum Config {
|
|
||||||
Upload { config_path: PathBuf },
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Subcommand)]
|
#[derive(Subcommand)]
|
||||||
@@ -109,12 +96,6 @@ enum ClusterCommand {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Subcommand)]
|
|
||||||
enum StoreOp {
|
|
||||||
Get { data_path: PathBuf },
|
|
||||||
Set { data_path: PathBuf, value: String },
|
|
||||||
}
|
|
||||||
|
|
||||||
#[tokio::main(flavor = "current_thread")]
|
#[tokio::main(flavor = "current_thread")]
|
||||||
async fn main() -> eyre::Result<()> {
|
async fn main() -> eyre::Result<()> {
|
||||||
clap_complete::CompleteEnv::with_factory(Cli::command).complete();
|
clap_complete::CompleteEnv::with_factory(Cli::command).complete();
|
||||||
@@ -250,29 +231,6 @@ async fn main() -> eyre::Result<()> {
|
|||||||
println!("hash (hex): {}", hex::encode(&hash));
|
println!("hash (hex): {}", hex::encode(&hash));
|
||||||
println!("hash (base64): {}", dkl::base64_encode(&hash));
|
println!("hash (base64): {}", dkl::base64_encode(&hash));
|
||||||
}
|
}
|
||||||
C::Store { store_path, op } => {
|
|
||||||
let mut s = dls::store::Store::new(store_path);
|
|
||||||
s.unlock(&std::env::var("DLS_STORE_PW").unwrap()).await?;
|
|
||||||
|
|
||||||
match op {
|
|
||||||
StoreOp::Get { data_path } => {
|
|
||||||
let mut data = std::io::Cursor::new(s.read(data_path).await?);
|
|
||||||
tokio::io::copy(&mut data, &mut tokio::io::stdout()).await?;
|
|
||||||
}
|
|
||||||
StoreOp::Set { data_path, value } => s.write(data_path, value.as_bytes()).await?,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
C::Config(cmd) => match cmd {
|
|
||||||
Config::Upload { config_path } => {
|
|
||||||
let cfg = fs::read(&config_path).await?;
|
|
||||||
let cfg: dls::Config = if config_path.ends_with(".yaml") {
|
|
||||||
serde_yaml::from_slice(&cfg)?
|
|
||||||
} else {
|
|
||||||
serde_json::from_slice(&cfg)?
|
|
||||||
};
|
|
||||||
dls().upload_config(&cfg).await?;
|
|
||||||
}
|
|
||||||
},
|
|
||||||
};
|
};
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
|
|||||||
+1
-1
@@ -64,8 +64,8 @@ pub async fn ls(
|
|||||||
}
|
}
|
||||||
|
|
||||||
use tabled::settings::{
|
use tabled::settings::{
|
||||||
Alignment, Modify,
|
|
||||||
object::{Column, Row},
|
object::{Column, Row},
|
||||||
|
Alignment, Modify,
|
||||||
};
|
};
|
||||||
let mut table = table.build();
|
let mut table = table.build();
|
||||||
table.with(tabled::settings::Style::psql());
|
table.with(tabled::settings::Style::psql());
|
||||||
|
|||||||
+13
-57
@@ -23,18 +23,6 @@ impl Client {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn new_with_http_client(
|
|
||||||
base_url: String,
|
|
||||||
token: String,
|
|
||||||
http_client: reqwest::Client,
|
|
||||||
) -> Self {
|
|
||||||
Self {
|
|
||||||
base_url,
|
|
||||||
token,
|
|
||||||
http_client,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn with_proxy(self, proxy: String) -> reqwest::Result<Self> {
|
pub fn with_proxy(self, proxy: String) -> reqwest::Result<Self> {
|
||||||
let proxy = reqwest::Proxy::all(proxy)?;
|
let proxy = reqwest::Proxy::all(proxy)?;
|
||||||
Ok(Self {
|
Ok(Self {
|
||||||
@@ -77,15 +65,6 @@ impl Client {
|
|||||||
Ok(resp.bytes_stream())
|
Ok(resp.bytes_stream())
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn upload_config(&self, config: &Config) -> Result<()> {
|
|
||||||
do_req(self.req(Method::POST, "configs")?.json(config), &self.token).await?;
|
|
||||||
Ok(())
|
|
||||||
}
|
|
||||||
|
|
||||||
pub async fn get_config(&self) -> Result<Config> {
|
|
||||||
self.get_json("config").await
|
|
||||||
}
|
|
||||||
|
|
||||||
pub async fn get_json<T: serde::de::DeserializeOwned>(&self, path: impl Display) -> Result<T> {
|
pub async fn get_json<T: serde::de::DeserializeOwned>(&self, path: impl Display) -> Result<T> {
|
||||||
self.req_json(self.get(&path)?).await
|
self.req_json(self.get(&path)?).await
|
||||||
}
|
}
|
||||||
@@ -175,7 +154,7 @@ impl<'t> Host<'t> {
|
|||||||
pub async fn asset(
|
pub async fn asset(
|
||||||
&self,
|
&self,
|
||||||
asset_name: &str,
|
asset_name: &str,
|
||||||
) -> Result<impl Stream<Item = reqwest::Result<Bytes>> + use<>> {
|
) -> Result<impl Stream<Item = reqwest::Result<Bytes>>> {
|
||||||
let req = self.dls.get(format!("hosts/{}/{asset_name}", self.name))?;
|
let req = self.dls.get(format!("hosts/{}/{asset_name}", self.name))?;
|
||||||
let resp = do_req(req, &self.dls.token).await?;
|
let resp = do_req(req, &self.dls.token).await?;
|
||||||
Ok(resp.bytes_stream())
|
Ok(resp.bytes_stream())
|
||||||
@@ -183,23 +162,17 @@ impl<'t> Host<'t> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Default, serde::Deserialize, serde::Serialize)]
|
#[derive(Default, serde::Deserialize, serde::Serialize)]
|
||||||
#[serde(default, rename_all = "PascalCase")]
|
#[serde(rename_all = "PascalCase")]
|
||||||
pub struct Config {
|
pub struct Config {
|
||||||
#[serde(deserialize_with = "deserialize_null_as_default", alias = "clusters")]
|
#[serde(default, deserialize_with = "deserialize_null_as_default")]
|
||||||
pub clusters: Vec<ClusterConfig>,
|
pub clusters: Vec<ClusterConfig>,
|
||||||
#[serde(deserialize_with = "deserialize_null_as_default", alias = "hosts")]
|
#[serde(default, deserialize_with = "deserialize_null_as_default")]
|
||||||
pub hosts: Vec<HostConfig>,
|
pub hosts: Vec<HostConfig>,
|
||||||
#[serde(
|
#[serde(default, deserialize_with = "deserialize_null_as_default")]
|
||||||
deserialize_with = "deserialize_null_as_default",
|
|
||||||
alias = "hosttemplates"
|
|
||||||
)]
|
|
||||||
pub host_templates: Vec<HostConfig>,
|
pub host_templates: Vec<HostConfig>,
|
||||||
#[serde(default, rename = "SSLConfig", alias = "sslconfig")]
|
#[serde(default, rename = "SSLConfig")]
|
||||||
pub ssl_config: String,
|
pub ssl_config: String,
|
||||||
#[serde(
|
#[serde(default, deserialize_with = "deserialize_null_as_default")]
|
||||||
deserialize_with = "deserialize_null_as_default",
|
|
||||||
alias = "extracacerts"
|
|
||||||
)]
|
|
||||||
pub extra_ca_certs: Map<String, String>,
|
pub extra_ca_certs: Map<String, String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -217,57 +190,40 @@ where
|
|||||||
#[derive(serde::Deserialize, serde::Serialize)]
|
#[derive(serde::Deserialize, serde::Serialize)]
|
||||||
#[serde(rename_all = "PascalCase")]
|
#[serde(rename_all = "PascalCase")]
|
||||||
pub struct ClusterConfig {
|
pub struct ClusterConfig {
|
||||||
#[serde(alias = "name")]
|
|
||||||
pub name: String,
|
pub name: String,
|
||||||
#[serde(alias = "bootstrappods")]
|
|
||||||
pub bootstrap_pods: String,
|
pub bootstrap_pods: String,
|
||||||
#[serde(alias = "addons")]
|
|
||||||
pub addons: String,
|
pub addons: String,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Default, serde::Deserialize, serde::Serialize)]
|
#[derive(Default, serde::Deserialize, serde::Serialize)]
|
||||||
#[serde(rename_all = "PascalCase")]
|
#[serde(rename_all = "PascalCase")]
|
||||||
pub struct HostConfig {
|
pub struct HostConfig {
|
||||||
#[serde(alias = "name")]
|
|
||||||
pub name: String,
|
pub name: String,
|
||||||
#[serde(
|
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||||
default,
|
|
||||||
skip_serializing_if = "Option::is_none",
|
|
||||||
alias = "cluster_name"
|
|
||||||
)]
|
|
||||||
pub cluster_name: Option<String>,
|
pub cluster_name: Option<String>,
|
||||||
|
|
||||||
#[serde(rename = "IPs", alias = "ips")]
|
#[serde(rename = "IPs")]
|
||||||
pub ips: Vec<IpAddr>,
|
pub ips: Vec<IpAddr>,
|
||||||
|
|
||||||
#[serde(default, skip_serializing_if = "Map::is_empty", alias = "labels")]
|
#[serde(default, skip_serializing_if = "Map::is_empty")]
|
||||||
pub labels: Map<String, String>,
|
pub labels: Map<String, String>,
|
||||||
#[serde(default, skip_serializing_if = "Map::is_empty", alias = "annotations")]
|
#[serde(default, skip_serializing_if = "Map::is_empty")]
|
||||||
pub annotations: Map<String, String>,
|
pub annotations: Map<String, String>,
|
||||||
|
|
||||||
#[serde(
|
#[serde(rename = "IPXE", skip_serializing_if = "Option::is_none")]
|
||||||
rename = "IPXE",
|
|
||||||
skip_serializing_if = "Option::is_none",
|
|
||||||
alias = "ipxe"
|
|
||||||
)]
|
|
||||||
pub ipxe: Option<String>,
|
pub ipxe: Option<String>,
|
||||||
|
|
||||||
#[serde(alias = "initrd")]
|
|
||||||
pub initrd: String,
|
pub initrd: String,
|
||||||
#[serde(alias = "kernel")]
|
|
||||||
pub kernel: String,
|
pub kernel: String,
|
||||||
#[serde(alias = "versions")]
|
|
||||||
pub versions: Map<String, String>,
|
pub versions: Map<String, String>,
|
||||||
|
|
||||||
/// initrd config template
|
/// initrd config template
|
||||||
#[serde(alias = "bootstrapconfig")]
|
|
||||||
pub bootstrap_config: String,
|
pub bootstrap_config: String,
|
||||||
/// files to add to the final initrd config, with rendering
|
/// files to add to the final initrd config, with rendering
|
||||||
#[serde(default, skip_serializing_if = "Vec::is_empty", alias = "initrdfiles")]
|
#[serde(default, skip_serializing_if = "Vec::is_empty")]
|
||||||
pub initrd_files: Vec<crate::File>,
|
pub initrd_files: Vec<crate::File>,
|
||||||
|
|
||||||
/// system config template
|
/// system config template
|
||||||
#[serde(alias = "config")]
|
|
||||||
pub config: String,
|
pub config: String,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
+4
-192
@@ -1,13 +1,4 @@
|
|||||||
use openssl::symm::Mode;
|
pub fn hash_password(salt: &[u8], passphrase: &str) -> argon2::Result<[u8; 32]> {
|
||||||
use std::borrow::Cow;
|
|
||||||
use std::path::{Path, PathBuf};
|
|
||||||
use tokio::{fs, io::AsyncWriteExt};
|
|
||||||
|
|
||||||
pub type Salt = [u8; 16];
|
|
||||||
pub type Key = [u8; 32];
|
|
||||||
pub type Hash = Vec<u8>;
|
|
||||||
|
|
||||||
pub fn hash_password(salt: &[u8], passphrase: &str) -> Result<Key> {
|
|
||||||
let hash = argon2::hash_raw(
|
let hash = argon2::hash_raw(
|
||||||
passphrase.as_bytes(),
|
passphrase.as_bytes(),
|
||||||
salt,
|
salt,
|
||||||
@@ -15,191 +6,12 @@ pub fn hash_password(salt: &[u8], passphrase: &str) -> Result<Key> {
|
|||||||
variant: argon2::Variant::Argon2id,
|
variant: argon2::Variant::Argon2id,
|
||||||
hash_length: 32,
|
hash_length: 32,
|
||||||
time_cost: 1,
|
time_cost: 1,
|
||||||
mem_cost: 64 << 10,
|
mem_cost: 65536,
|
||||||
thread_mode: argon2::ThreadMode::Parallel,
|
thread_mode: argon2::ThreadMode::Parallel,
|
||||||
lanes: 4,
|
lanes: 4,
|
||||||
..Default::default()
|
..Default::default()
|
||||||
},
|
},
|
||||||
)
|
)?;
|
||||||
.map_err(Error::Hash)?;
|
|
||||||
|
|
||||||
Ok(hash.try_into().unwrap())
|
unsafe { Ok(hash.try_into().unwrap_unchecked()) }
|
||||||
}
|
|
||||||
|
|
||||||
pub struct Store {
|
|
||||||
path: PathBuf,
|
|
||||||
key: Option<Key>,
|
|
||||||
}
|
|
||||||
|
|
||||||
impl Store {
|
|
||||||
pub fn new(path: impl Into<PathBuf>) -> Self {
|
|
||||||
Self {
|
|
||||||
path: path.into(),
|
|
||||||
key: None,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
pub async fn unlock(&mut self, passphrase: &str) -> Result<()> {
|
|
||||||
let keys = self.read_keys().await?;
|
|
||||||
|
|
||||||
let salt = keys.salt;
|
|
||||||
|
|
||||||
let user_key = hash_password(&salt, passphrase)?;
|
|
||||||
let user_hash = openssl::sha::sha512(&user_key);
|
|
||||||
|
|
||||||
for nk in keys.keys {
|
|
||||||
if nk.hash != user_hash {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
// build iv+data from salt
|
|
||||||
let mut enc_data = Vec::with_capacity(salt.len() + nk.enc_key.len());
|
|
||||||
enc_data.extend_from_slice(&salt);
|
|
||||||
enc_data.extend_from_slice(&nk.enc_key);
|
|
||||||
|
|
||||||
let key = crypt(&enc_data, &user_key, Mode::Decrypt)?;
|
|
||||||
let key = key.try_into().map_err(|_| Error::InvalidKey)?;
|
|
||||||
|
|
||||||
self.key = Some(key);
|
|
||||||
return Ok(());
|
|
||||||
}
|
|
||||||
|
|
||||||
Err(Error::KeyNotFound)
|
|
||||||
}
|
|
||||||
|
|
||||||
pub async fn read(&self, path: impl AsRef<Path>) -> Result<Vec<u8>> {
|
|
||||||
let enc_data = self.read_file(path.as_ref().with_extension("data")).await?;
|
|
||||||
self.decrypt(&enc_data)
|
|
||||||
}
|
|
||||||
pub async fn read_to_string(&self, path: impl AsRef<Path>) -> Result<String> {
|
|
||||||
let path = path.as_ref();
|
|
||||||
String::from_utf8(self.read(path).await?).map_err(|_| Error::InvalidUtf8(path.into()))
|
|
||||||
}
|
|
||||||
|
|
||||||
pub async fn write(&self, path: impl AsRef<Path>, data: &[u8]) -> Result<()> {
|
|
||||||
let enc_data = self.encrypt(data)?;
|
|
||||||
safe_write(self.path.join(&path).with_extension("data"), &enc_data).await
|
|
||||||
}
|
|
||||||
|
|
||||||
async fn read_keys(&self) -> Result<Keys<'_>> {
|
|
||||||
let keys = self.read_file(".keys").await?;
|
|
||||||
let Some(keys) = keys.strip_prefix(b"{json}") else {
|
|
||||||
return Err(Error::InvalidKeys);
|
|
||||||
};
|
|
||||||
|
|
||||||
serde_json::from_slice(keys).map_err(Error::KeysParse)
|
|
||||||
}
|
|
||||||
|
|
||||||
async fn read_file(&self, subpath: impl AsRef<Path>) -> Result<Vec<u8>> {
|
|
||||||
let path = self.path.join(subpath);
|
|
||||||
fs::read(&path).await.map_err(|e| Error::Read(path, e))
|
|
||||||
}
|
|
||||||
|
|
||||||
fn encrypt(&self, src: &[u8]) -> Result<Vec<u8>> {
|
|
||||||
self.crypt(src, Mode::Encrypt)
|
|
||||||
}
|
|
||||||
fn decrypt(&self, src: &[u8]) -> Result<Vec<u8>> {
|
|
||||||
self.crypt(src, Mode::Decrypt)
|
|
||||||
}
|
|
||||||
fn crypt(&self, src: &[u8], mode: Mode) -> Result<Vec<u8>> {
|
|
||||||
let key = self.key.as_ref().ok_or(Error::NotUnlocked)?;
|
|
||||||
crypt(src, key, mode)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
async fn safe_write(path: impl AsRef<Path>, contents: &[u8]) -> Result<()> {
|
|
||||||
let path = path.as_ref();
|
|
||||||
let tmp = path.with_added_extension("new");
|
|
||||||
|
|
||||||
let tmp_err = |e| Error::Write(tmp.clone(), e);
|
|
||||||
|
|
||||||
let mut file = fs::OpenOptions::new()
|
|
||||||
.create(true)
|
|
||||||
.truncate(true)
|
|
||||||
.write(true)
|
|
||||||
.open(&tmp)
|
|
||||||
.await
|
|
||||||
.map_err(tmp_err)?;
|
|
||||||
|
|
||||||
file.write_all(contents).await.map_err(tmp_err)?;
|
|
||||||
file.sync_all().await.map_err(tmp_err)?;
|
|
||||||
file.shutdown().await.map_err(tmp_err)?;
|
|
||||||
|
|
||||||
fs::rename(tmp, &path)
|
|
||||||
.await
|
|
||||||
.map_err(|e| Error::Write(path.into(), e))
|
|
||||||
}
|
|
||||||
|
|
||||||
fn crypt(mut src: &[u8], key: &Key, mode: Mode) -> Result<Vec<u8>> {
|
|
||||||
use openssl::symm::{Cipher, Crypter};
|
|
||||||
|
|
||||||
let mut iv = [0u8; 16];
|
|
||||||
let mut dst: Vec<u8>;
|
|
||||||
let crypt_dst: &mut [u8];
|
|
||||||
|
|
||||||
match mode {
|
|
||||||
Mode::Encrypt => {
|
|
||||||
getrandom::fill(&mut iv).unwrap();
|
|
||||||
dst = vec![0u8; iv.len() + src.len()];
|
|
||||||
dst[..iv.len()].copy_from_slice(&iv);
|
|
||||||
crypt_dst = &mut dst[iv.len()..];
|
|
||||||
}
|
|
||||||
Mode::Decrypt => {
|
|
||||||
iv = src[..iv.len()]
|
|
||||||
.try_into()
|
|
||||||
.map_err(|_| Error::DecryptInputToSmall)?;
|
|
||||||
src = &src[iv.len()..];
|
|
||||||
dst = vec![0u8; src.len()];
|
|
||||||
crypt_dst = &mut dst;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
let cipher = Cipher::aes_256_cfb128();
|
|
||||||
Crypter::new(cipher, mode, key, Some(&iv))
|
|
||||||
.expect("Failed to init AES")
|
|
||||||
.update(src, crypt_dst)
|
|
||||||
.expect("AES CFB encrypt/decrypt failed");
|
|
||||||
|
|
||||||
Ok(dst)
|
|
||||||
}
|
|
||||||
|
|
||||||
pub type Result<T> = std::result::Result<T, Error>;
|
|
||||||
|
|
||||||
#[derive(Debug, thiserror::Error)]
|
|
||||||
pub enum Error {
|
|
||||||
#[error("hash error: {0}")]
|
|
||||||
Hash(argon2::Error),
|
|
||||||
#[error("read {0} failed: {1}")]
|
|
||||||
Read(PathBuf, std::io::Error),
|
|
||||||
#[error("write {0} failed: {1}")]
|
|
||||||
Write(PathBuf, std::io::Error),
|
|
||||||
#[error("read {0} failed: invalid UTF-8")]
|
|
||||||
InvalidUtf8(PathBuf),
|
|
||||||
#[error("invalid keys data")]
|
|
||||||
InvalidKeys,
|
|
||||||
#[error("invalid key")]
|
|
||||||
InvalidKey,
|
|
||||||
#[error("keys parse error: {0}")]
|
|
||||||
KeysParse(serde_json::Error),
|
|
||||||
#[error("key not found")]
|
|
||||||
KeyNotFound,
|
|
||||||
#[error("store not unlocked")]
|
|
||||||
NotUnlocked,
|
|
||||||
#[error("decrypt input too small")]
|
|
||||||
DecryptInputToSmall,
|
|
||||||
}
|
|
||||||
|
|
||||||
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
|
|
||||||
#[serde(rename_all = "PascalCase")]
|
|
||||||
struct Keys<'t> {
|
|
||||||
salt: Salt,
|
|
||||||
keys: Vec<NamedKey<'t>>,
|
|
||||||
}
|
|
||||||
|
|
||||||
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
|
|
||||||
#[serde(rename_all = "PascalCase")]
|
|
||||||
struct NamedKey<'t> {
|
|
||||||
name: Cow<'t, str>,
|
|
||||||
hash: Hash,
|
|
||||||
enc_key: Key,
|
|
||||||
}
|
}
|
||||||
|
|||||||
+1
-1
@@ -1,4 +1,4 @@
|
|||||||
use eyre::{Result, format_err};
|
use eyre::{format_err, Result};
|
||||||
use log::{debug, error, info, warn};
|
use log::{debug, error, info, warn};
|
||||||
use std::path::PathBuf;
|
use std::path::PathBuf;
|
||||||
use tokio::{fs, io::AsyncWriteExt, process::Command};
|
use tokio::{fs, io::AsyncWriteExt, process::Command};
|
||||||
|
|||||||
+6
-37
@@ -11,7 +11,7 @@ pub mod logger;
|
|||||||
pub mod proxy;
|
pub mod proxy;
|
||||||
pub mod rc;
|
pub mod rc;
|
||||||
|
|
||||||
#[derive(Debug, Default, Clone, serde::Deserialize, serde::Serialize)]
|
#[derive(Debug, Default, serde::Deserialize, serde::Serialize)]
|
||||||
pub struct Config {
|
pub struct Config {
|
||||||
pub layers: Vec<String>,
|
pub layers: Vec<String>,
|
||||||
pub root_user: RootUser,
|
pub root_user: RootUser,
|
||||||
@@ -25,14 +25,14 @@ pub struct Config {
|
|||||||
pub users: Vec<User>,
|
pub users: Vec<User>,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Default, Clone, serde::Deserialize, serde::Serialize)]
|
#[derive(Debug, Default, serde::Deserialize, serde::Serialize)]
|
||||||
pub struct RootUser {
|
pub struct RootUser {
|
||||||
#[serde(skip_serializing_if = "Option::is_none")]
|
#[serde(skip_serializing_if = "Option::is_none")]
|
||||||
pub password_hash: Option<String>,
|
pub password_hash: Option<String>,
|
||||||
pub authorized_keys: Vec<String>,
|
pub authorized_keys: Vec<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Default, Clone, serde::Deserialize, serde::Serialize)]
|
#[derive(Debug, Default, serde::Deserialize, serde::Serialize)]
|
||||||
pub struct Mount {
|
pub struct Mount {
|
||||||
pub dev: String,
|
pub dev: String,
|
||||||
pub path: String,
|
pub path: String,
|
||||||
@@ -42,14 +42,14 @@ pub struct Mount {
|
|||||||
pub options: Option<String>,
|
pub options: Option<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
|
#[derive(Debug, serde::Deserialize, serde::Serialize)]
|
||||||
pub struct Group {
|
pub struct Group {
|
||||||
pub name: String,
|
pub name: String,
|
||||||
#[serde(skip_serializing_if = "Option::is_none")]
|
#[serde(skip_serializing_if = "Option::is_none")]
|
||||||
pub gid: Option<u32>,
|
pub gid: Option<u32>,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
|
#[derive(Debug, serde::Deserialize, serde::Serialize)]
|
||||||
pub struct User {
|
pub struct User {
|
||||||
pub name: String,
|
pub name: String,
|
||||||
#[serde(skip_serializing_if = "Option::is_none")]
|
#[serde(skip_serializing_if = "Option::is_none")]
|
||||||
@@ -58,7 +58,7 @@ pub struct User {
|
|||||||
pub gid: Option<u32>,
|
pub gid: Option<u32>,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Default, Debug, Clone, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
|
#[derive(Default, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
|
||||||
pub struct File {
|
pub struct File {
|
||||||
pub path: String,
|
pub path: String,
|
||||||
#[serde(skip_serializing_if = "Option::is_none")]
|
#[serde(skip_serializing_if = "Option::is_none")]
|
||||||
@@ -148,34 +148,3 @@ impl<'t> File {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl FileKind {
|
|
||||||
pub fn content<'t>(&'t self) -> Result<Option<Cow<'t, [u8]>>, base64::DecodeError> {
|
|
||||||
use FileKind::*;
|
|
||||||
Ok(match self {
|
|
||||||
Content(content) => Some(Cow::Borrowed(content.as_bytes())),
|
|
||||||
Content64(content) => {
|
|
||||||
let content = base64_decode(content)?;
|
|
||||||
Some(Cow::Owned(content))
|
|
||||||
}
|
|
||||||
Parts(parts) => {
|
|
||||||
let mut assembly = Vec::new();
|
|
||||||
for part in parts {
|
|
||||||
assembly.extend(part.content()?.into_iter());
|
|
||||||
}
|
|
||||||
Some(Cow::Owned(assembly))
|
|
||||||
}
|
|
||||||
_ => None,
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl FilePart {
|
|
||||||
pub fn content(&self) -> Result<Cow<'_, [u8]>, base64::DecodeError> {
|
|
||||||
use FilePart::*;
|
|
||||||
Ok(match self {
|
|
||||||
Content(content) => Cow::Borrowed(content.as_bytes()),
|
|
||||||
Content64(content) => Cow::Owned(base64_decode(content)?),
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|||||||
+3
-3
@@ -1,6 +1,6 @@
|
|||||||
use async_compression::tokio::write::{ZstdDecoder, ZstdEncoder};
|
use async_compression::tokio::write::{ZstdDecoder, ZstdEncoder};
|
||||||
use chrono::{DurationRound, TimeDelta, Utc};
|
use chrono::{DurationRound, TimeDelta, Utc};
|
||||||
use eyre::{Result, format_err};
|
use eyre::{format_err, Result};
|
||||||
use log::{debug, error, warn};
|
use log::{debug, error, warn};
|
||||||
use std::ffi::OsStr;
|
use std::ffi::OsStr;
|
||||||
use std::path::{Path, PathBuf};
|
use std::path::{Path, PathBuf};
|
||||||
@@ -10,7 +10,7 @@ use tokio::{
|
|||||||
io::{self, AsyncBufReadExt, AsyncRead, AsyncWrite, AsyncWriteExt, BufReader, BufWriter},
|
io::{self, AsyncBufReadExt, AsyncRead, AsyncWrite, AsyncWriteExt, BufReader, BufWriter},
|
||||||
process::{Child, Command},
|
process::{Child, Command},
|
||||||
sync::mpsc,
|
sync::mpsc,
|
||||||
time::{Duration, sleep},
|
time::{sleep, Duration},
|
||||||
};
|
};
|
||||||
|
|
||||||
use crate::{cgroup, fs};
|
use crate::{cgroup, fs};
|
||||||
@@ -220,7 +220,7 @@ impl Logger {
|
|||||||
|
|
||||||
fn forward_signals_to(pid: i32) {
|
fn forward_signals_to(pid: i32) {
|
||||||
use nix::{
|
use nix::{
|
||||||
sys::signal::{Signal, kill},
|
sys::signal::{kill, Signal},
|
||||||
unistd::Pid,
|
unistd::Pid,
|
||||||
};
|
};
|
||||||
use signal_hook::{consts::*, low_level::register};
|
use signal_hook::{consts::*, low_level::register};
|
||||||
|
|||||||
@@ -5,9 +5,9 @@ use std::collections::{BTreeMap as Map, BTreeSet as Set};
|
|||||||
use std::path::PathBuf;
|
use std::path::PathBuf;
|
||||||
use std::sync::LazyLock;
|
use std::sync::LazyLock;
|
||||||
use tokio::{
|
use tokio::{
|
||||||
io::{AsyncBufReadExt, AsyncReadExt, AsyncWriteExt, BufReader, copy},
|
io::{copy, AsyncBufReadExt, AsyncReadExt, AsyncWriteExt, BufReader},
|
||||||
net::{UnixListener, UnixStream},
|
net::{UnixListener, UnixStream},
|
||||||
sync::{RwLock, mpsc, watch},
|
sync::{mpsc, watch, RwLock},
|
||||||
};
|
};
|
||||||
|
|
||||||
use crate::{cgroup, fs};
|
use crate::{cgroup, fs};
|
||||||
@@ -117,7 +117,7 @@ where
|
|||||||
std::process::exit(0);
|
std::process::exit(0);
|
||||||
}
|
}
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
eprintln!("{e}");
|
eprint!("{e}");
|
||||||
std::process::exit(1);
|
std::process::exit(1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -185,7 +185,7 @@ async fn handle(mut conn: UnixStream) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
async fn wait_terminate() {
|
async fn wait_terminate() {
|
||||||
use tokio::signal::unix::{SignalKind, signal};
|
use tokio::signal::unix::{signal, SignalKind};
|
||||||
let Ok(mut sig) = signal(SignalKind::terminate())
|
let Ok(mut sig) = signal(SignalKind::terminate())
|
||||||
.inspect_err(|e| error!("failed to listen to SIGTERM (will be ignored): {e}"))
|
.inspect_err(|e| error!("failed to listen to SIGTERM (will be ignored): {e}"))
|
||||||
else {
|
else {
|
||||||
@@ -203,7 +203,7 @@ async fn wait_terminate() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
async fn wait_reload() {
|
async fn wait_reload() {
|
||||||
use tokio::signal::unix::{SignalKind, signal};
|
use tokio::signal::unix::{signal, SignalKind};
|
||||||
let Ok(mut sig) = signal(SignalKind::hangup())
|
let Ok(mut sig) = signal(SignalKind::hangup())
|
||||||
.inspect_err(|e| error!("failed to listen to SIGHUP (will be ignored): {e}"))
|
.inspect_err(|e| error!("failed to listen to SIGHUP (will be ignored): {e}"))
|
||||||
else {
|
else {
|
||||||
|
|||||||
+2
-2
@@ -1,13 +1,13 @@
|
|||||||
use log::{error, warn};
|
use log::{error, warn};
|
||||||
use nix::{
|
use nix::{
|
||||||
sys::signal::{Signal, kill},
|
sys::signal::{kill, Signal},
|
||||||
unistd::Pid,
|
unistd::Pid,
|
||||||
};
|
};
|
||||||
use std::num::NonZero;
|
use std::num::NonZero;
|
||||||
use tokio::{
|
use tokio::{
|
||||||
process, select,
|
process, select,
|
||||||
sync::{mpsc, watch},
|
sync::{mpsc, watch},
|
||||||
time::{Duration, Instant, sleep, sleep_until},
|
time::{sleep, sleep_until, Duration, Instant},
|
||||||
};
|
};
|
||||||
|
|
||||||
use super::{Error, Result, Service};
|
use super::{Error, Result, Service};
|
||||||
|
|||||||
Reference in New Issue
Block a user