From fee929bb2a311bf7c999ee4b9fdf5de1c71e865b Mon Sep 17 00:00:00 2001 From: root Date: Sun, 30 Jan 2022 19:03:47 +0000 Subject: [PATCH] add possibility to load secret from file, delete the secret file after loading --- src/bunker.go | 10 +++++++++- src/storage/mysql-storage.go | 11 +++++++++++ src/storage/storage.go | 13 +++++++++++++ src/utils.go | 14 ++++++++++++++ 4 files changed, 47 insertions(+), 1 deletion(-) diff --git a/src/bunker.go b/src/bunker.go index 6511eec..2e4f585 100644 --- a/src/bunker.go +++ b/src/bunker.go @@ -521,6 +521,10 @@ func masterkeyGet(masterKeyPtr *string) ([]byte, error) { } // Convert []byte to string masterKeyStr = strings.TrimSpace(string(content)) + // we will TRY to delete secret file when running inside container/kubernetes + if isContainer() == true { + os.Remove(os.Getenv("DATABUNKER_MASTERKEY_FILE")) + } } if len(masterKeyStr) == 0 { return nil, errors.New("Master key environment variable/parameter is missing") @@ -602,7 +606,11 @@ func main() { log.Printf("Error: %s", masterKeyErr) os.Exit(0) } - store, _ := storage.OpenDB(dbPtr) + store, err := storage.OpenDB(dbPtr) + if err != nil { + log.Printf("Filed to open db: %s", err) + os.Exit(0) + } hash := md5.Sum(masterKey) db := &dbcon{store, masterKey, hash[:]} e := mainEnv{db, cfg, make(chan struct{})} diff --git a/src/storage/mysql-storage.go b/src/storage/mysql-storage.go index 46113a3..cb506ad 100644 --- a/src/storage/mysql-storage.go +++ b/src/storage/mysql-storage.go @@ -5,6 +5,7 @@ package storage import ( "database/sql" "fmt" + "io/ioutil" "log" "net/http" "os" @@ -44,6 +45,13 @@ func (dbobj MySQLDB) getConnectionString(dbname *string) string { if dbname != nil && len(*dbname) > 0 { dbnameString = *dbname } + if len(os.Getenv("MYSQL_USER_PASS_FILE")) > 0 { + content, err := ioutil.ReadFile(os.Getenv("MYSQL_USER_PASS_FILE")) + if err != nil { + return "" + } + pass = strings.TrimSpace(string(content)) + } //str0 := fmt.Sprintf("%s:****@tcp(%s:%s)/%s", user, host, port, dbnameString) //fmt.Printf("myql connection string: %s\n", str0) str := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s", user, pass, host, port, dbnameString) @@ -135,6 +143,9 @@ func (dbobj *MySQLDB) OpenDB(dbname *string) error { } tx.Commit() fmt.Printf("tables: %s\n", allTables) + if isContainer() == true && len(os.Getenv("MYSQL_USER_PASS_FILE")) > 0 { + os.Remove(os.Getenv("MYSQL_USER_PASS_FILE")) + } return nil } diff --git a/src/storage/storage.go b/src/storage/storage.go index 7320e5f..598d5ed 100644 --- a/src/storage/storage.go +++ b/src/storage/storage.go @@ -141,3 +141,16 @@ func contains(slice []string, item string) bool { _, ok := set[item] return ok } + +func isContainer() bool { + //if _, err := os.Stat("/.dockerenv"); err == nil { + // return true + //} + if len(os.Getenv("KUBERNETES_SERVICE_HOST")) > 0 { + return true + } + if _, err := os.Stat("/var/run/secrets/kubernetes.io"); err == nil { + return true + } + return false +} diff --git a/src/utils.go b/src/utils.go index 6656219..9bc2a7c 100644 --- a/src/utils.go +++ b/src/utils.go @@ -12,6 +12,7 @@ import ( "mime" "net/http" "net/url" + "os" "regexp" "strconv" "strings" @@ -299,6 +300,19 @@ func isValidHex(hex1 string) bool { return regexHex.MatchString(hex1) } +func isContainer() bool { + //if _, err := os.Stat("/.dockerenv"); err == nil { + // return true + //} + if len(os.Getenv("KUBERNETES_SERVICE_HOST")) > 0 { + return true + } + if _, err := os.Stat("/var/run/secrets/kubernetes.io"); err == nil { + return true + } + return false +} + // stringPatternMatch looks for basic human patterns like "*", "*abc*", etc... func stringPatternMatch(pattern string, value string) bool { if len(pattern) == 0 {