downloads API, UI

2023-02-07 21:29:19 +01:00
parent e44303eab9
commit b6c714fac7
32 changed files with 17675 additions and 5 deletions
--- a/cmd/dkl-local-server/secret-store.go
+++ b/cmd/dkl-local-server/secret-store.go
@ -0,0 +1,171 @@
+package main
+
+import (
+	"crypto/rand"
+	"encoding/base32"
+	"encoding/json"
+	"log"
+	"net/http"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"m.cluseau.fr/go/httperr"
+	"novit.tech/direktil/local-server/secretstore"
+)
+
+var secStore *secretstore.Store
+
+func secStorePath(name string) string { return filepath.Join(*dataDir, "secrets", name) }
+func secKeysStorePath() string        { return secStorePath(".keys") }
+
+func openSecretStore() {
+	var err error
+
+	keysPath := secKeysStorePath()
+
+	if err := os.MkdirAll(filepath.Dir(filepath.Dir(keysPath)), 0755); err != nil {
+		log.Fatal("failed to create dirs: ", err)
+	}
+
+	if err := os.MkdirAll(filepath.Dir(keysPath), 0700); err != nil {
+		log.Fatal("failed to secret store dir: ", err)
+	}
+
+	secStore, err = secretstore.Open(keysPath)
+
+	switch {
+	case err == nil:
+		wPublicState.Change(func(v *PublicState) {
+			v.Store.New = false
+			v.Store.Open = false
+		})
+
+	case os.IsNotExist(err):
+		secStore = secretstore.New()
+		wPublicState.Change(func(v *PublicState) {
+			v.Store.New = true
+			v.Store.Open = false
+		})
+
+	default:
+		log.Fatal("failed to open keys store: ", err)
+	}
+}
+
+var (
+	unlockMutex = sync.Mutex{}
+
+	ErrStoreAlreadyUnlocked = httperr.NewStd(http.StatusConflict, 1, "store already unlocked")
+	ErrInvalidPassphrase    = httperr.NewStd(http.StatusBadRequest, 2, "invalid passphrase")
+)
+
+func unlockSecretStore(passphrase []byte) *httperr.Error {
+	unlockMutex.Lock()
+	defer unlockMutex.Unlock()
+
+	if secStore.Unlocked() {
+		return ErrStoreAlreadyUnlocked
+	}
+
+	if secStore.IsNew() {
+		err := secStore.Init(passphrase)
+		if err != nil {
+			return httperr.New(http.StatusInternalServerError, err)
+		}
+
+		err = secStore.SaveTo(secKeysStorePath())
+		if err != nil {
+			log.Print("secret store save error: ", err)
+			secStore.Close()
+
+			return httperr.New(http.StatusInternalServerError, err)
+		}
+
+	} else {
+		if !secStore.Unlock([]byte(passphrase)) {
+			return ErrInvalidPassphrase
+		}
+	}
+
+	token := ""
+	if err := readSecret("admin-token", &token); err != nil {
+		if !os.IsNotExist(err) {
+			log.Print("failed to read admin token: ", err)
+			secStore.Close()
+
+			return httperr.New(http.StatusInternalServerError, err)
+		}
+
+		randBytes := make([]byte, 32)
+		_, err := rand.Read(randBytes)
+		if err != nil {
+			log.Print("rand read error: ", err)
+			secStore.Close()
+
+			return httperr.New(http.StatusInternalServerError, err)
+		}
+
+		token = base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(randBytes)
+		err = writeSecret("admin-token", token)
+		if err != nil {
+			log.Print("write error: ", err)
+			secStore.Close()
+
+			return httperr.New(http.StatusInternalServerError, err)
+		}
+
+		log.Print("wrote new admin token")
+	}
+
+	*adminToken = token
+
+	wPublicState.Change(func(v *PublicState) {
+		v.Store.New = false
+		v.Store.Open = true
+	})
+
+	go updateState()
+
+	return nil
+}
+
+func readSecret(name string, value any) (err error) {
+	f, err := os.Open(secStorePath(name + ".data"))
+	if err != nil {
+		return
+	}
+
+	defer f.Close()
+
+	in, err := secStore.NewReader(f)
+	if err != nil {
+		return
+	}
+
+	return json.NewDecoder(in).Decode(value)
+}
+
+func writeSecret(name string, value any) (err error) {
+	f, err := os.Create(secStorePath(name + ".data.new"))
+	if err != nil {
+		return
+	}
+
+	err = func() (err error) {
+		defer f.Close()
+
+		out, err := secStore.NewWriter(f)
+		if err != nil {
+			return
+		}
+
+		return json.NewEncoder(out).Encode(value)
+	}()
+
+	if err != nil {
+		return
+	}
+
+	return os.Rename(f.Name(), secStorePath(name+".data"))
+}