updating git-ssh remote profile; adding custom obfuscated secret store as a fallback to keyring

Author: shibme

go.mod

@@ -95,7 +95,7 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kevinburke/ssh_config v1.2.0
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect

internal/core/environments/providers/const.go

@@ -12,7 +12,6 @@ const (
 
 	// Password Provider Constants
 	passwordProviderName = "password"
-	keyringServiceName   = config.AppNameLowerCase
 
 	// KMS Provider Constants
 	rsaPubKeyRefName = "rsa-pubkey"

internal/core/environments/providers/password.go

@@ -1,12 +1,10 @@
 package providers
 
 import (
-	"crypto/sha256"
 	"fmt"
 
-	"github.com/zalando/go-keyring"
-	"slv.sh/slv/internal/core/commons"
 	"slv.sh/slv/internal/core/input"
+	"slv.sh/slv/internal/core/keystore"
 	"xipher.org/xipher"
 )
 
@@ -28,34 +26,21 @@ func bindWithPassword(skBytes []byte, inputs map[string][]byte) (ref map[string]
 	return
 }
 
-func getFromKeyring(sealedSecretKeyBytes []byte) (string, error) {
-	sha256sum := sha256.Sum256(sealedSecretKeyBytes)
-	return keyring.Get(keyringServiceName, commons.Encode(sha256sum[:]))
-}
-
-func putToKeyring(sealedSecretKeyBytes []byte, password string) error {
-	sha256sum := sha256.Sum256(sealedSecretKeyBytes)
-	return keyring.Set(keyringServiceName, commons.Encode(sha256sum[:]), password)
-}
-
 func unBindWithPassword(ref map[string][]byte) (secretKeyBytes []byte, err error) {
 	sealedSecretKeyBytes := ref["ssk"]
 	if len(sealedSecretKeyBytes) == 0 {
 		return nil, errSealedSecretKeyRef
 	}
 	var password []byte
-	setPasswordToKeyring := false
+	setPasswordToKeystore := false
 	if input.IsInteractive() == nil {
-		pwd, err := getFromKeyring(sealedSecretKeyBytes)
-		if err == nil {
-			password = []byte(pwd)
-		} else {
-			if err == keyring.ErrNotFound {
-				setPasswordToKeyring = true
-			}
+		if password, err = keystore.Get(sealedSecretKeyBytes, false); err == keystore.ErrNotFound {
+			setPasswordToKeystore = true
 			if password, err = input.GetHiddenInput("Enter Password: "); err != nil {
 				return nil, err
 			}
+		} else if err != nil {
+			return nil, fmt.Errorf("failed to get password from keystore: %w", err)
 		}
 	}
 	if password == nil {
@@ -69,11 +54,11 @@ func unBindWithPassword(ref map[string][]byte) (secretKeyBytes []byte, err error
 	if err != nil {
 		return nil, errInvalidPassword
 	}
-	if setPasswordToKeyring {
-		confirm, _ := input.GetConfirmation("Do you want to save the password in keyring? (y/n): ", "y")
+	if setPasswordToKeystore {
+		confirm, _ := input.GetConfirmation("Do you want to save the password locally? (y/n): ", "y")
 		if confirm {
-			if err := putToKeyring(sealedSecretKeyBytes, string(password)); err != nil {
-				fmt.Println("Failed to save password in keyring: ", err.Error())
+			if err := keystore.Put(sealedSecretKeyBytes, password, false); err != nil {
+				return nil, fmt.Errorf("failed to save password to keystore: %w", err)
 			}
 		}
 	}

internal/core/keystore/store.go

@@ -0,0 +1,94 @@
+package keystore
+
+import (
+	"crypto/sha256"
+	"crypto/sha512"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/zalando/go-keyring"
+	"slv.sh/slv/internal/core/commons"
+	"slv.sh/slv/internal/core/config"
+	"xipher.org/xipher"
+)
+
+const (
+	keyringServiceName = config.AppNameLowerCase
+	keystoreDirName    = "keystore"
+)
+
+var (
+	keyStoreDir = filepath.Join(config.GetAppDataDir(), keystoreDirName)
+
+	ErrNotFound = fmt.Errorf("data not found in keystore")
+)
+
+func putToKeyStore(storeId string, payloadId, payload []byte) error {
+	seed := sha512.Sum512(payloadId)
+	if xsk, err := xipher.SecretKeyFromSeed(seed); err != nil {
+		return fmt.Errorf("error writing data to keystore: %w", err)
+	} else {
+		if !commons.DirExists(keyStoreDir) {
+			if err := os.MkdirAll(keyStoreDir, 0755); err != nil {
+				return fmt.Errorf("error creating keystore directory: %w", err)
+			}
+		}
+		if ct, err := xsk.Encrypt(payload, true, false); err != nil {
+			return fmt.Errorf("error encrypting data for keystore: %w", err)
+		} else {
+			storePath := filepath.Join(keyStoreDir, storeId)
+			if err := os.WriteFile(storePath, ct, 0644); err != nil {
+				return fmt.Errorf("error writing data to keystore: %w", err)
+			}
+			return nil
+		}
+	}
+}
+
+func getFromKeyStore(storeId string, payloadId []byte) ([]byte, error) {
+	seed := sha512.Sum512(payloadId)
+	if xsk, err := xipher.SecretKeyFromSeed(seed); err != nil {
+		return nil, fmt.Errorf("error reading data from keystore: %w", err)
+	} else {
+		storePath := filepath.Join(keyStoreDir, storeId)
+		if commons.FileExists(storePath) {
+			if payload, err := os.ReadFile(storePath); err == nil && len(payload) > 0 {
+				if decryptedPayload, err := xsk.Decrypt(payload); err != nil {
+					return nil, fmt.Errorf("error reading data from keystore: %w", err)
+				} else {
+					return decryptedPayload, nil
+				}
+			} else if err != nil {
+				return nil, fmt.Errorf("error reading data from keystore: %w", err)
+			}
+		}
+		return nil, ErrNotFound
+	}
+}
+
+func Put(id, payload []byte, useLocalStore bool) error {
+	sha256sum := sha256.Sum256(id)
+	storeId := commons.Encode(sha256sum[:])
+	if err := keyring.Set(keyringServiceName, storeId, string(payload)); err == nil {
+		return nil
+	} else if useLocalStore {
+		return putToKeyStore(storeId, id, payload)
+	} else {
+		return fmt.Errorf("error saving data to keystore: %w", err)
+	}
+}
+
+func Get(id []byte, useLocalStore bool) ([]byte, error) {
+	sha256sum := sha256.Sum256(id)
+	storeId := commons.Encode(sha256sum[:])
+	if payloadStr, err := keyring.Get(keyringServiceName, storeId); err == nil {
+		return []byte(payloadStr), nil
+	} else if err == keyring.ErrNotFound {
+		return nil, ErrNotFound
+	} else if useLocalStore {
+		return getFromKeyStore(storeId, id)
+	} else {
+		return nil, fmt.Errorf("error reading data from keystore: %w", err)
+	}
+}

internal/core/profiles/const.go

@@ -3,6 +3,8 @@ package profiles
 import (
 	"errors"
 	"time"
+
+	"xipher.org/xipher"
 )
 
 // Errors and constants used by profiles
@@ -18,11 +20,14 @@ const (
 
 	defaultEnvManifestFileName = "environments.yaml"
 	defaultSettingsFileName    = "settings.yaml"
+
+	profileCryptoKeyName = "slv_profiles"
 )
 
 var (
 	profileMgr *profileManager     = nil
 	profileMap map[string]*Profile = make(map[string]*Profile)
+	profileSK  *xipher.SecretKey
 
 	envManifestFileNames = []string{defaultEnvManifestFileName, "environments.yml"}
 	settingsFileNames    = []string{defaultSettingsFileName, "settings.yml"}

internal/core/profiles/git.go

@@ -1,8 +1,8 @@
 package profiles
 
 import (
+	"fmt"
 	"os"
-	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
@@ -14,16 +14,18 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	gitssh "github.com/go-git/go-git/v5/plumbing/transport/ssh"
-	"github.com/kevinburke/ssh_config"
 	"golang.org/x/crypto/ssh"
+	"slv.sh/slv/internal/core/commons"
 )
 
 const (
 	configGitRepoKey      = "repo"
 	configGitBranchKey    = "branch"
 	configGitHTTPUserKey  = "username"
 	configGitHTTPTokenKey = "token"
-	configGitHTTPSSHKey   = "ssh-key"
+	configGitSSHKey       = "ssh-key"
+
+	gitUrlRegexPattern = `(?i)^(?:(https?|git|ssh):\/\/[\w.@\-~:/]+\.git|git@[\w.\-]+:[\w./~-]+\.git)$`
 )
 
 var gitArgs = []arg{
@@ -47,84 +49,50 @@ var gitArgs = []arg{
 		description: "The token to authenticate with the git repository over HTTP",
 	},
 	{
-		name:        configGitHTTPSSHKey,
+		name:        configGitSSHKey,
 		sensitive:   true,
 		description: "The path to the SSH private key file to authenticate with the git repository over SSH",
 	},
 }
 
-func expandTilde(path string) string {
-	if len(path) > 0 && path[0] == '~' {
-		if home, err := os.UserHomeDir(); err == nil {
-			return filepath.Join(home, path[1:])
-		}
-	}
-	return path
-}
-
-func getSSHKeyFiles(uri string) []string {
-	pattern := regexp.MustCompile(`(?:[^@]+@)?([^:/]+)`)
-	matches := pattern.FindStringSubmatch(uri)
-	if len(matches) < 2 {
-		return nil
-	}
-	hostname := matches[1]
-	if hostname != "" {
-		allKeyPaths := ssh_config.GetAll(hostname, "IdentityFile")
-		var keyPaths []string
-		keyPathMap := make(map[string]struct{})
-		for _, keyPath := range allKeyPaths {
-			keyPath = expandTilde(keyPath)
-			if _, found := keyPathMap[keyPath]; !found {
-				keyPaths = append(keyPaths, keyPath)
-				keyPathMap[keyPath] = struct{}{}
-			}
-		}
-		return keyPaths
-	}
-	return nil
-}
-
-func getGitAuth(config map[string]string) transport.AuthMethod {
+func getGitAuth(config map[string]string) (auth transport.AuthMethod, err error) {
 	gitUrl := config[configGitRepoKey]
+	if !regexp.MustCompile(gitUrlRegexPattern).MatchString(gitUrl) {
+		return nil, fmt.Errorf("invalid git URL: %s", gitUrl)
+	}
 	if strings.HasPrefix(gitUrl, "https://") || strings.HasPrefix(gitUrl, "http://") {
 		username := config[configGitHTTPUserKey]
 		token := config[configGitHTTPTokenKey]
 		if username != "" && token != "" {
-			return &http.BasicAuth{
+			auth = &http.BasicAuth{
 				Username: username,
 				Password: token,
 			}
+		} else if username != "" || token != "" {
+			err = fmt.Errorf("both username and token must be provided for HTTP authentication")
 		}
-	}
-	if sshAgentAuth, err := gitssh.NewSSHAgentAuth("git"); err == nil {
-		return sshAgentAuth
-	}
-	if sshKeyFile := config[configGitHTTPSSHKey]; sshKeyFile != "" {
-		if keyBytes, err := os.ReadFile(sshKeyFile); err == nil {
-			_, err = ssh.ParsePrivateKey(keyBytes)
-			if err == nil {
-				auth, err := gitssh.NewPublicKeysFromFile("git", sshKeyFile, "")
-				if err == nil {
-					return auth
+	} else {
+		if sshKey := config[configGitSSHKey]; sshKey != "" {
+			var keyBytes []byte
+			if commons.FileExists(sshKey) {
+				if keyBytes, err = os.ReadFile(sshKey); err != nil {
+					return nil, fmt.Errorf("failed to read SSH key file %s: %w", sshKey, err)
 				}
+				config[configGitSSHKey] = string(keyBytes)
+			} else {
+				keyBytes = []byte(sshKey)
 			}
-		}
-	}
-	if sshKeyFiles := getSSHKeyFiles(gitUrl); len(sshKeyFiles) > 0 {
-		keyPath := sshKeyFiles[0]
-		keyBytes, err := os.ReadFile(keyPath)
-		if err == nil {
-			_, err = ssh.ParsePrivateKey(keyBytes)
-			if err == nil {
-				auth, err := gitssh.NewPublicKeysFromFile("git", keyPath, "")
-				if err == nil {
-					return auth
-				}
+			if _, err = ssh.ParsePrivateKey(keyBytes); err != nil {
+				return nil, fmt.Errorf("failed to parse SSH key: %w", err)
+			}
+			if auth, err = gitssh.NewPublicKeys("git", keyBytes, ""); err != nil {
+				return nil, fmt.Errorf("failed to create SSH auth from file %s: %w", sshKey, err)
 			}
+		} else if auth, err = gitssh.NewSSHAgentAuth("git"); err != nil {
+			return nil, fmt.Errorf("failed to create SSH agent auth: %w", err)
 		}
 	}
-	return nil
+	return
 }
 
 func gitCommit(repo *git.Repository, msg string) error {
@@ -158,7 +126,9 @@ func gitSetup(dir string, config map[string]string) (err error) {
 	cloneOptions := &git.CloneOptions{
 		URL: gitUrl,
 	}
-	cloneOptions.Auth = getGitAuth(config)
+	if cloneOptions.Auth, err = getGitAuth(config); err != nil {
+		return err
+	}
 	branch := config[configGitBranchKey]
 	if branch != "" {
 		cloneOptions.ReferenceName = plumbing.NewBranchReferenceName(branch)
@@ -177,8 +147,12 @@ func gitPull(dir string, config map[string]string) (err error) {
 	if err != nil {
 		return err
 	}
+	var auth transport.AuthMethod
+	if auth, err = getGitAuth(config); err != nil {
+		return err
+	}
 	err = worktree.Pull(&git.PullOptions{
-		Auth: getGitAuth(config),
+		Auth: auth,
 	})
 	if err == git.NoErrAlreadyUpToDate {
 		return nil
@@ -194,7 +168,11 @@ func gitPush(dir string, config map[string]string, note string) (err error) {
 	if err = gitCommit(repo, note); err != nil {
 		return err
 	}
+	var auth transport.AuthMethod
+	if auth, err = getGitAuth(config); err != nil {
+		return err
+	}
 	return repo.Push(&git.PushOptions{
-		Auth: getGitAuth(config),
+		Auth: auth,
 	})
 }