mirror of
https://github.com/Luzifer/ots.git
synced 2025-08-01 18:56:04 -04:00
Implement OTS-CLI utility (#117)
This commit is contained in:
Knut Ahlers
GitHub
parent
c5124731f5
commit
546481dcfc
20 changed files with 861 additions and 70 deletions
199
pkg/client/client.go
Normal file
199
pkg/client/client.go
Normal file
|
|
@ -0,0 +1,199 @@
|
|||
// Package client implements a client library for OTS supporting the
|
||||
// OTSMeta content format for file upload support
|
||||
package client
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"crypto/sha512"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/Luzifer/go-openssl/v4"
|
||||
)
|
||||
|
||||
// HTTPClient defines the client to use for create and fetch requests
|
||||
// and can be overwritten to provide authentication
|
||||
var HTTPClient = http.DefaultClient
|
||||
|
||||
// KeyDerivationFunc defines the key derivation algorithm used in OTS
|
||||
// to derive the key / iv from the password for encryption. You only
|
||||
// should change this if you are running an OTS instance with modified
|
||||
// parameters.
|
||||
//
|
||||
// The corresponding settings are found in `/src/crypto.js` in the OTS
|
||||
// source code.
|
||||
var KeyDerivationFunc = openssl.NewPBKDF2Generator(sha512.New, 300000) //nolint:gomnd // that's the definition
|
||||
|
||||
// PasswordLength defines the length of the generated encryption password
|
||||
var PasswordLength = 20
|
||||
|
||||
// RequestTimeout defines how long the request to the OTS instance for
|
||||
// create and fetch may take
|
||||
var RequestTimeout = 5 * time.Second
|
||||
|
||||
// UserAgent defines the user-agent to send when interacting with an
|
||||
// OTS instance. When using this library please set this to something
|
||||
// the operator of the instance can determine your client from and
|
||||
// provide an URL to useful information about your tool.
|
||||
var UserAgent = "ots-client/1.x +https://github.com/Luzifer/ots"
|
||||
|
||||
// Create serializes the secret and creates a new secret on the
|
||||
// instance given by its URL.
|
||||
//
|
||||
// The given URL should point to the frontend of the instance. Do not
|
||||
// include the API paths, they are added automatically. For the
|
||||
// expireIn parameter zero value can be used to use server-default.
|
||||
//
|
||||
// So for OTS.fyi you'd use `New("https://ots.fyi/")`
|
||||
func Create(instanceURL string, secret Secret, expireIn time.Duration) (string, time.Time, error) {
|
||||
u, err := url.Parse(instanceURL)
|
||||
if err != nil {
|
||||
return "", time.Time{}, fmt.Errorf("parsing instance URL: %w", err)
|
||||
}
|
||||
|
||||
pass, err := genPass()
|
||||
if err != nil {
|
||||
return "", time.Time{}, fmt.Errorf("generating password: %w", err)
|
||||
}
|
||||
|
||||
data, err := secret.serialize(pass)
|
||||
if err != nil {
|
||||
return "", time.Time{}, fmt.Errorf("serializing data: %w", err)
|
||||
}
|
||||
|
||||
body := new(bytes.Buffer)
|
||||
if err = json.NewEncoder(body).Encode(struct {
|
||||
Secret string `json:"secret"`
|
||||
}{Secret: string(data)}); err != nil {
|
||||
return "", time.Time{}, fmt.Errorf("encoding request payload: %w", err)
|
||||
}
|
||||
|
||||
createURL := u.JoinPath(strings.Join([]string{".", "api", "create"}, "/"))
|
||||
ctx, cancel := context.WithTimeout(context.Background(), RequestTimeout)
|
||||
defer cancel()
|
||||
|
||||
if expireIn > time.Second {
|
||||
createURL.RawQuery = url.Values{
|
||||
"expire": []string{strconv.Itoa(int(expireIn / time.Second))},
|
||||
}.Encode()
|
||||
}
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, createURL.String(), body)
|
||||
if err != nil {
|
||||
return "", time.Time{}, fmt.Errorf("creating request: %w", err)
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
req.Header.Set("User-Agent", UserAgent)
|
||||
|
||||
resp, err := HTTPClient.Do(req)
|
||||
if err != nil {
|
||||
return "", time.Time{}, fmt.Errorf("executing request: %w", err)
|
||||
}
|
||||
defer resp.Body.Close() //nolint:errcheck // possible leaked-fd, lib should not log, potential short-lived leak
|
||||
|
||||
if resp.StatusCode != http.StatusCreated {
|
||||
respBody, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return "", time.Time{}, fmt.Errorf("unexpected HTTP status %d", resp.StatusCode)
|
||||
}
|
||||
return "", time.Time{}, fmt.Errorf("unexpected HTTP status %d (%s)", resp.StatusCode, respBody)
|
||||
}
|
||||
|
||||
var payload struct {
|
||||
ExpiresAt time.Time `json:"expires_at"`
|
||||
SecretID string `json:"secret_id"`
|
||||
Success bool `json:"success"`
|
||||
}
|
||||
|
||||
if err = json.NewDecoder(resp.Body).Decode(&payload); err != nil {
|
||||
return "", time.Time{}, fmt.Errorf("decoding response: %w", err)
|
||||
}
|
||||
|
||||
u.Fragment = strings.Join([]string{payload.SecretID, pass}, "|")
|
||||
|
||||
return u.String(), payload.ExpiresAt, nil
|
||||
}
|
||||
|
||||
// Fetch retrieves a secret by its given URL. The URL given must
|
||||
// include the fragment (part after the `#`) with the secret ID and
|
||||
// the encryption passphrase.
|
||||
//
|
||||
// The object returned will always be an OTSMeta object even in case
|
||||
// the secret is a plain secret without attachments.
|
||||
func Fetch(secretURL string) (s Secret, err error) {
|
||||
u, err := url.Parse(secretURL)
|
||||
if err != nil {
|
||||
return s, fmt.Errorf("parsing secret URL: %w", err)
|
||||
}
|
||||
|
||||
fragment, err := url.QueryUnescape(u.Fragment)
|
||||
if err != nil {
|
||||
return s, fmt.Errorf("unescaping fragment: %w", err)
|
||||
}
|
||||
fragmentParts := strings.SplitN(fragment, "|", 2) //nolint:gomnd
|
||||
|
||||
fetchURL := u.JoinPath(strings.Join([]string{".", "api", "get", fragmentParts[0]}, "/")).String()
|
||||
ctx, cancel := context.WithTimeout(context.Background(), RequestTimeout)
|
||||
defer cancel()
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, fetchURL, nil)
|
||||
if err != nil {
|
||||
return s, fmt.Errorf("creating request: %w", err)
|
||||
}
|
||||
req.Header.Set("User-Agent", UserAgent)
|
||||
|
||||
resp, err := HTTPClient.Do(req)
|
||||
if err != nil {
|
||||
return s, fmt.Errorf("executing request: %w", err)
|
||||
}
|
||||
defer resp.Body.Close() //nolint:errcheck // possible leaked-fd, lib should not log, potential short-lived leak
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return s, fmt.Errorf("unexpected HTTP status %d", resp.StatusCode)
|
||||
}
|
||||
|
||||
var payload struct {
|
||||
Secret string `json:"secret"`
|
||||
}
|
||||
|
||||
if err = json.NewDecoder(resp.Body).Decode(&payload); err != nil {
|
||||
return s, fmt.Errorf("decoding response body: %w", err)
|
||||
}
|
||||
|
||||
if err = s.read([]byte(payload.Secret), fragmentParts[1]); err != nil {
|
||||
return s, fmt.Errorf("decoding secret: %w", err)
|
||||
}
|
||||
|
||||
return s, nil
|
||||
}
|
||||
|
||||
func genPass() (string, error) {
|
||||
var (
|
||||
charSet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
pass = make([]byte, PasswordLength)
|
||||
|
||||
n int
|
||||
err error
|
||||
)
|
||||
|
||||
for n < PasswordLength {
|
||||
n, err = rand.Read(pass)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("reading random data: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
for i := 0; i < PasswordLength; i++ {
|
||||
pass[i] = charSet[int(pass[i])%len(charSet)]
|
||||
}
|
||||
|
||||
return string(pass), nil
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue