trisacrypto · pdeziel · Nov 2, 2023 · Oct 30, 2023 · Oct 30, 2023 · Oct 31, 2023
diff --git a/.gitignore b/.gitignore
@@ -22,3 +22,9 @@
 
 # Go workspace file
 go.work
+
+# macOS
+*.DS_Store
+
+# Google credentials
+*.json
diff --git a/cmd/courier/main.go b/cmd/courier/main.go
@@ -2,8 +2,10 @@ package main
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io"
 	"log"
 	"os"
 	"time"
@@ -57,6 +59,69 @@ func main() {
 					},
 				},
 			},
+			{
+				Name:     "store:password",
+				Usage:    "store a pkcs12 password using the courier server",
+				Category: "client",
+				Action:   storePassword,
+				Flags: []cli.Flag{
+					&cli.StringFlag{
+						Name:     "url",
+						Aliases:  []string{"u", "endpoint"},
+						Usage:    "url to connect to the courier server",
+						EnvVars:  []string{"COURIER_CLIENT_URL"},
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:     "id",
+						Aliases:  []string{"i"},
+						Usage:    "the id of the certificate to store the password for",
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:    "password",
+						Aliases: []string{"p"},
+						Usage:   "the password to store",
+					},
+					&cli.StringFlag{
+						Name:    "file",
+						Aliases: []string{"f"},
+						Usage:   "specify a file to read the password from",
+					},
+				},
+			},
+			{
+				Name:     "store:certificate",
+				Usage:    "store a pkcs12 certificate using the courier server",
+				Category: "client",
+				Action:   storeCertificate,
+				Flags: []cli.Flag{
+					&cli.StringFlag{
+						Name:     "url",
+						Aliases:  []string{"u", "endpoint"},
+						Usage:    "url to connect to the courier server",
+						EnvVars:  []string{"COURIER_CLIENT_URL"},
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:     "id",
+						Aliases:  []string{"i"},
+						Usage:    "the id of the certificate, used to lookup the stored password",
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:     "file",
+						Aliases:  []string{"f"},
+						Usage:    "path to the certificate file",
+						Required: true,
+					},
+					&cli.BoolFlag{
+						Name:    "no-decrypt",
+						Aliases: []string{"D"},
+						Usage:   "do not decrypt the certificate before storing it",
+					},
+				},
+			},
 			{
 				Name:     "secrets:get",
 				Usage:    "get a secret from the secret manager",
@@ -138,6 +203,78 @@ func status(c *cli.Context) (err error) {
 	return printJSON(rep)
 }
 
+// Store a password using the courier service.
+func storePassword(c *cli.Context) (err error) {
+	var client api.CourierClient
+	if client, err = api.New(c.String("url")); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	if c.String("password") == "" && c.String("file") == "" {
+		return cli.Exit("either --password or --file must be specified", 1)
+	}
+
+	var password string
+	if password = c.String("password"); password == "" {
+		var f *os.File
+		if f, err = os.Open(c.String("file")); err != nil {
+			return cli.Exit(err, 1)
+		}
+
+		var data []byte
+		if data, err = io.ReadAll(f); err != nil {
+			return cli.Exit(err, 1)
+		}
+
+		password = string(data)
+	}
+
+	req := &api.StorePasswordRequest{
+		ID:       c.String("id"),
+		Password: password,
+	}
+	if err = client.StoreCertificatePassword(ctx, req); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	return nil
+}
+
+// Store a certificate using the courier service.
+func storeCertificate(c *cli.Context) (err error) {
+	var client api.CourierClient
+	if client, err = api.New(c.String("url")); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var f *os.File
+	if f, err = os.Open(c.String("file")); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	var data []byte
+	if data, err = io.ReadAll(f); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	req := &api.StoreCertificateRequest{
+		ID:                c.String("id"),
+		NoDecrypt:         c.Bool("no-decrypt"),
+		Base64Certificate: base64.StdEncoding.EncodeToString(data),
+	}
+	if err = client.StoreCertificate(ctx, req); err != nil {
+		return cli.Exit(err, 1)
+	}
+
+	return nil
+}
+
 // Get a secret from the secret manager.
 func getSecret(c *cli.Context) (err error) {
 	conf := config.SecretsConfig{

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -84,6 +84,22 @@ func TestValidate(t *testing.T) {
 		require.NoError(t, conf.Validate(), "secure config should be valid")
 	})
 
+	t.Run("ValidSecretManager", func(t *testing.T) {
+		conf := config.Config{
+			BindAddr: ":8080",
+			Mode:     "debug",
+			MTLS: config.MTLSConfig{
+				Insecure: true,
+			},
+			SecretManager: config.SecretsConfig{
+				Enabled:     true,
+				Credentials: "test-credentials",
+				Project:     "test-project",
+			},
+		}
+		require.NoError(t, conf.Validate(), "secret manager config should be valid")
+	})
+
 	t.Run("MissingBindAddr", func(t *testing.T) {
 		conf := config.Config{
 			Mode: "debug",

diff --git a/pkg/server.go b/pkg/server.go
@@ -15,6 +15,7 @@ import (
 	"github.com/trisacrypto/courier/pkg/api/v1"
 	"github.com/trisacrypto/courier/pkg/config"
 	"github.com/trisacrypto/courier/pkg/store"
+	"github.com/trisacrypto/courier/pkg/store/gcloud"
 	"github.com/trisacrypto/courier/pkg/store/local"
 )
 
@@ -39,6 +40,10 @@ func New(conf config.Config) (s *Server, err error) {
 		if s.store, err = local.Open(conf.LocalStorage); err != nil {
 			return nil, err
 		}
+	case conf.SecretManager.Enabled:
+		if s.store, err = gcloud.Open(conf.SecretManager); err != nil {
+			return nil, err
+		}
 	default:
 		return nil, errors.New("no storage backend configured")
 	}

diff --git a/pkg/store/local/store.go b/pkg/store/local/store.go
@@ -52,15 +52,15 @@ func (s *Store) Close() error {
 func (s *Store) GetPassword(ctx context.Context, id string) (password []byte, err error) {
 	s.RLock()
 	defer s.RUnlock()
-	return s.readFile(s.fullPath(store.PasswordPrefix, id))
+	return s.readFile(s.fullPath(store.PasswordPrefix, id, archiveExt))
 }
 
 // UpdatePassword updates a password by id in the local storage backend. If the
 // password does not exist, it is created. Otherwise, it is overwritten.
 func (s *Store) UpdatePassword(ctx context.Context, id string, password []byte) (err error) {
 	s.Lock()
 	defer s.Unlock()
-	return s.writeFile(s.fullPath(store.PasswordPrefix, id), password)
+	return s.writeFile(s.fullPath(store.PasswordPrefix, id, archiveExt), password)
 }
 
 //===========================================================================
@@ -73,7 +73,7 @@ func (s *Store) GetCertificate(ctx context.Context, name string) (cert []byte, e
 	defer s.RUnlock()
 
 	// Load the certificate archive into bytes
-	if cert, err = os.ReadFile(s.fullPath(store.CertificatePrefix, name)); err != nil {
+	if cert, err = os.ReadFile(s.fullPath(store.CertificatePrefix, name, "")); err != nil {
 		if os.IsNotExist(err) {
 			return nil, store.ErrNotFound
 		}
@@ -87,16 +87,16 @@ func (s *Store) GetCertificate(ctx context.Context, name string) (cert []byte, e
 func (s *Store) UpdateCertificate(ctx context.Context, name string, cert []byte) (err error) {
 	s.Lock()
 	defer s.Unlock()
-	return os.WriteFile(s.fullPath(store.CertificatePrefix, name), cert, 0644)
+	return os.WriteFile(s.fullPath(store.CertificatePrefix, name, ""), cert, 0644)
 }
 
 //===========================================================================
 // Helper methods
 //===========================================================================
 
 // fullPath returns the full path to an archive file in the local storage backend.
-func (s *Store) fullPath(prefix, name string) string {
-	return filepath.Join(s.path, prefix+"-"+name+archiveExt)
+func (s *Store) fullPath(prefix, name, ext string) string {
+	return filepath.Join(s.path, prefix+"-"+name+ext)
 }
 
 // read returns file data by archive path from the local storage