feat(docker-watcher): phase 2 - crypto & config seed loader
AES-256-GCM encryption for credential storage, YAML seed config parser with validation, and transactional import into SQLite. Credentials (registry tokens, NPM password) encrypted before storage.
This commit is contained in:
@@ -0,0 +1,112 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"gopkg.in/yaml.v3"
|
||||
)
|
||||
|
||||
// SeedConfig represents the top-level YAML seed configuration.
|
||||
type SeedConfig struct {
|
||||
Global GlobalConfig `yaml:"global"`
|
||||
Registries map[string]RegistryDef `yaml:"registries"`
|
||||
Projects map[string]ProjectDef `yaml:"projects"`
|
||||
}
|
||||
|
||||
// GlobalConfig holds domain-wide settings from the seed file.
|
||||
type GlobalConfig struct {
|
||||
Domain string `yaml:"domain"`
|
||||
ServerIP string `yaml:"server_ip"`
|
||||
Network string `yaml:"network"`
|
||||
SubdomainPattern string `yaml:"subdomain_pattern"`
|
||||
NotificationURL string `yaml:"notification_url"`
|
||||
Npm NpmConfig `yaml:"npm"`
|
||||
}
|
||||
|
||||
// NpmConfig holds Nginx Proxy Manager connection details.
|
||||
type NpmConfig struct {
|
||||
URL string `yaml:"url"`
|
||||
Email string `yaml:"email"`
|
||||
Password string `yaml:"password"`
|
||||
}
|
||||
|
||||
// RegistryDef defines a container registry from the seed file.
|
||||
type RegistryDef struct {
|
||||
URL string `yaml:"url"`
|
||||
Type string `yaml:"type"`
|
||||
Token string `yaml:"token"`
|
||||
}
|
||||
|
||||
// ProjectDef defines a project from the seed file.
|
||||
type ProjectDef struct {
|
||||
Registry string `yaml:"registry"`
|
||||
Image string `yaml:"image"`
|
||||
Port int `yaml:"port"`
|
||||
Healthcheck string `yaml:"healthcheck"`
|
||||
Env map[string]string `yaml:"env"`
|
||||
Volumes map[string]string `yaml:"volumes"`
|
||||
Stages map[string]StageDef `yaml:"stages"`
|
||||
}
|
||||
|
||||
// StageDef defines a deployment stage from the seed file.
|
||||
type StageDef struct {
|
||||
TagPattern string `yaml:"tag_pattern"`
|
||||
AutoDeploy bool `yaml:"auto_deploy"`
|
||||
MaxInstances int `yaml:"max_instances"`
|
||||
Confirm bool `yaml:"confirm"`
|
||||
PromoteFrom string `yaml:"promote_from"`
|
||||
Subdomain string `yaml:"subdomain"`
|
||||
}
|
||||
|
||||
// LoadSeedFile reads and parses the YAML seed config from the given path.
|
||||
func LoadSeedFile(path string) (SeedConfig, error) {
|
||||
data, err := os.ReadFile(path)
|
||||
if err != nil {
|
||||
return SeedConfig{}, fmt.Errorf("read seed file: %w", err)
|
||||
}
|
||||
|
||||
return ParseSeed(data)
|
||||
}
|
||||
|
||||
// ParseSeed parses raw YAML bytes into a SeedConfig.
|
||||
func ParseSeed(data []byte) (SeedConfig, error) {
|
||||
var cfg SeedConfig
|
||||
if err := yaml.Unmarshal(data, &cfg); err != nil {
|
||||
return SeedConfig{}, fmt.Errorf("parse yaml: %w", err)
|
||||
}
|
||||
|
||||
if err := validate(cfg); err != nil {
|
||||
return SeedConfig{}, fmt.Errorf("validate seed config: %w", err)
|
||||
}
|
||||
|
||||
return cfg, nil
|
||||
}
|
||||
|
||||
// validate checks that required fields are present in the seed config.
|
||||
func validate(cfg SeedConfig) error {
|
||||
if cfg.Global.Domain == "" {
|
||||
return fmt.Errorf("global.domain is required")
|
||||
}
|
||||
|
||||
for name, proj := range cfg.Projects {
|
||||
if proj.Image == "" {
|
||||
return fmt.Errorf("project %q: image is required", name)
|
||||
}
|
||||
if proj.Registry != "" {
|
||||
if _, ok := cfg.Registries[proj.Registry]; !ok {
|
||||
return fmt.Errorf("project %q: references unknown registry %q", name, proj.Registry)
|
||||
}
|
||||
}
|
||||
for stageName, stage := range proj.Stages {
|
||||
if stage.TagPattern == "" {
|
||||
return fmt.Errorf("project %q stage %q: tag_pattern is required", name, stageName)
|
||||
}
|
||||
if stage.MaxInstances < 0 {
|
||||
return fmt.Errorf("project %q stage %q: max_instances must be >= 0", name, stageName)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -0,0 +1,194 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/alexei/docker-watcher/internal/crypto"
|
||||
"github.com/alexei/docker-watcher/internal/store"
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
// ImportSeed loads the seed YAML file and imports its contents into the store.
|
||||
// Import is idempotent: it is skipped if any projects or registries already exist.
|
||||
// Credential fields (registry tokens, NPM password) are encrypted before storage.
|
||||
func ImportSeed(db *store.Store, seedPath string) error {
|
||||
if _, err := os.Stat(seedPath); os.IsNotExist(err) {
|
||||
log.Printf("No seed file at %s, skipping import", seedPath)
|
||||
return nil
|
||||
}
|
||||
|
||||
populated, err := isPopulated(db)
|
||||
if err != nil {
|
||||
return fmt.Errorf("check if db is populated: %w", err)
|
||||
}
|
||||
if populated {
|
||||
log.Println("Database already has data, skipping seed import")
|
||||
return nil
|
||||
}
|
||||
|
||||
cfg, err := LoadSeedFile(seedPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("load seed file: %w", err)
|
||||
}
|
||||
|
||||
encKey, err := crypto.KeyFromEnv()
|
||||
if err != nil {
|
||||
return fmt.Errorf("encryption key: %w", err)
|
||||
}
|
||||
|
||||
if err := importAll(db, cfg, encKey); err != nil {
|
||||
return fmt.Errorf("import seed: %w", err)
|
||||
}
|
||||
|
||||
log.Printf("Seed config imported from %s", seedPath)
|
||||
return nil
|
||||
}
|
||||
|
||||
// isPopulated returns true if the store already contains projects or registries.
|
||||
func isPopulated(db *store.Store) (bool, error) {
|
||||
projects, err := db.GetAllProjects()
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("get projects: %w", err)
|
||||
}
|
||||
if len(projects) > 0 {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
registries, err := db.GetAllRegistries()
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("get registries: %w", err)
|
||||
}
|
||||
return len(registries) > 0, nil
|
||||
}
|
||||
|
||||
// now returns the current time formatted for SQLite storage.
|
||||
func now() string {
|
||||
return time.Now().UTC().Format("2006-01-02 15:04:05")
|
||||
}
|
||||
|
||||
// importAll runs the full seed import inside a database transaction.
|
||||
// Uses raw SQL within the transaction so all inserts are atomic.
|
||||
func importAll(db *store.Store, cfg SeedConfig, encKey [32]byte) error {
|
||||
tx, err := db.DB().Begin()
|
||||
if err != nil {
|
||||
return fmt.Errorf("begin transaction: %w", err)
|
||||
}
|
||||
defer tx.Rollback() //nolint:errcheck // rollback after commit is a no-op
|
||||
|
||||
timestamp := now()
|
||||
|
||||
// Import registries first — projects reference them by name.
|
||||
for name, regDef := range cfg.Registries {
|
||||
encToken, err := crypto.EncryptIfNotEmpty(encKey, regDef.Token)
|
||||
if err != nil {
|
||||
return fmt.Errorf("encrypt registry %q token: %w", name, err)
|
||||
}
|
||||
|
||||
id := uuid.New().String()
|
||||
_, err = tx.Exec(
|
||||
`INSERT INTO registries (id, name, url, type, token, created_at, updated_at)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?)`,
|
||||
id, name, regDef.URL, regDef.Type, encToken, timestamp, timestamp,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("insert registry %q: %w", name, err)
|
||||
}
|
||||
}
|
||||
|
||||
// Import projects and their stages.
|
||||
for name, projDef := range cfg.Projects {
|
||||
envJSON, err := mapToJSON(projDef.Env)
|
||||
if err != nil {
|
||||
return fmt.Errorf("encode env for project %q: %w", name, err)
|
||||
}
|
||||
volJSON, err := mapToJSON(projDef.Volumes)
|
||||
if err != nil {
|
||||
return fmt.Errorf("encode volumes for project %q: %w", name, err)
|
||||
}
|
||||
|
||||
projectID := uuid.New().String()
|
||||
_, err = tx.Exec(
|
||||
`INSERT INTO projects (id, name, registry, image, port, healthcheck, env, volumes, created_at, updated_at)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
|
||||
projectID, name, projDef.Registry, projDef.Image, projDef.Port,
|
||||
projDef.Healthcheck, envJSON, volJSON, timestamp, timestamp,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("insert project %q: %w", name, err)
|
||||
}
|
||||
|
||||
for stageName, stageDef := range projDef.Stages {
|
||||
maxInstances := stageDef.MaxInstances
|
||||
if maxInstances == 0 {
|
||||
maxInstances = 1
|
||||
}
|
||||
|
||||
stageID := uuid.New().String()
|
||||
_, err = tx.Exec(
|
||||
`INSERT INTO stages (id, project_id, name, tag_pattern, auto_deploy, max_instances, confirm, promote_from, subdomain, created_at, updated_at)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
|
||||
stageID, projectID, stageName, stageDef.TagPattern,
|
||||
boolToInt(stageDef.AutoDeploy), maxInstances,
|
||||
boolToInt(stageDef.Confirm), stageDef.PromoteFrom,
|
||||
stageDef.Subdomain, timestamp, timestamp,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("insert stage %q for project %q: %w", stageName, name, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Import global settings — encrypt NPM password.
|
||||
encNpmPassword, err := crypto.EncryptIfNotEmpty(encKey, cfg.Global.Npm.Password)
|
||||
if err != nil {
|
||||
return fmt.Errorf("encrypt npm password: %w", err)
|
||||
}
|
||||
|
||||
subdomainPattern := cfg.Global.SubdomainPattern
|
||||
if subdomainPattern == "" {
|
||||
subdomainPattern = "stage-{stage}-{project}"
|
||||
}
|
||||
|
||||
_, err = tx.Exec(
|
||||
`UPDATE settings SET
|
||||
domain=?, server_ip=?, network=?, subdomain_pattern=?, notification_url=?,
|
||||
npm_url=?, npm_email=?, npm_password=?, updated_at=?
|
||||
WHERE id = 1`,
|
||||
cfg.Global.Domain, cfg.Global.ServerIP, cfg.Global.Network,
|
||||
subdomainPattern, cfg.Global.NotificationURL,
|
||||
cfg.Global.Npm.URL, cfg.Global.Npm.Email, encNpmPassword, timestamp,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("update settings: %w", err)
|
||||
}
|
||||
|
||||
if err := tx.Commit(); err != nil {
|
||||
return fmt.Errorf("commit transaction: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// boolToInt converts a bool to an integer for SQLite storage.
|
||||
func boolToInt(b bool) int {
|
||||
if b {
|
||||
return 1
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
// mapToJSON encodes a string map to JSON. Returns "{}" for nil maps.
|
||||
func mapToJSON(m map[string]string) (string, error) {
|
||||
if m == nil {
|
||||
return "{}", nil
|
||||
}
|
||||
b, err := json.Marshal(m)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return string(b), nil
|
||||
}
|
||||
@@ -0,0 +1,96 @@
|
||||
package crypto
|
||||
|
||||
import (
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
)
|
||||
|
||||
// ErrNoKey is returned when ENCRYPTION_KEY is not set.
|
||||
var ErrNoKey = errors.New("ENCRYPTION_KEY environment variable is not set")
|
||||
|
||||
// DeriveKey computes a 32-byte AES-256 key from the given passphrase using SHA-256.
|
||||
// This is acceptable when ENCRYPTION_KEY is a high-entropy random string (e.g., 32+ hex chars).
|
||||
// For human-chosen passphrases, consider Argon2id or PBKDF2 with a salt instead.
|
||||
func DeriveKey(passphrase string) [32]byte {
|
||||
return sha256.Sum256([]byte(passphrase))
|
||||
}
|
||||
|
||||
// KeyFromEnv reads ENCRYPTION_KEY from the environment and derives a 32-byte key.
|
||||
func KeyFromEnv() ([32]byte, error) {
|
||||
raw := os.Getenv("ENCRYPTION_KEY")
|
||||
if raw == "" {
|
||||
return [32]byte{}, ErrNoKey
|
||||
}
|
||||
return DeriveKey(raw), nil
|
||||
}
|
||||
|
||||
// Encrypt encrypts plaintext using AES-256-GCM with a random nonce.
|
||||
// The returned ciphertext is hex-encoded: nonce || ciphertext+tag.
|
||||
func Encrypt(key [32]byte, plaintext string) (string, error) {
|
||||
block, err := aes.NewCipher(key[:])
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("create cipher: %w", err)
|
||||
}
|
||||
|
||||
gcm, err := cipher.NewGCM(block)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("create gcm: %w", err)
|
||||
}
|
||||
|
||||
nonce := make([]byte, gcm.NonceSize())
|
||||
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
|
||||
return "", fmt.Errorf("generate nonce: %w", err)
|
||||
}
|
||||
|
||||
sealed := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
|
||||
return hex.EncodeToString(sealed), nil
|
||||
}
|
||||
|
||||
// Decrypt decrypts a hex-encoded ciphertext produced by Encrypt.
|
||||
func Decrypt(key [32]byte, ciphertextHex string) (string, error) {
|
||||
data, err := hex.DecodeString(ciphertextHex)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("decode hex: %w", err)
|
||||
}
|
||||
|
||||
block, err := aes.NewCipher(key[:])
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("create cipher: %w", err)
|
||||
}
|
||||
|
||||
gcm, err := cipher.NewGCM(block)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("create gcm: %w", err)
|
||||
}
|
||||
|
||||
nonceSize := gcm.NonceSize()
|
||||
if len(data) < nonceSize {
|
||||
return "", errors.New("ciphertext too short")
|
||||
}
|
||||
|
||||
nonce := data[:nonceSize]
|
||||
ciphertext := data[nonceSize:]
|
||||
|
||||
plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("decrypt: %w", err)
|
||||
}
|
||||
|
||||
return string(plaintext), nil
|
||||
}
|
||||
|
||||
// EncryptIfNotEmpty encrypts the value only if it is non-empty.
|
||||
// Returns empty string for empty input.
|
||||
func EncryptIfNotEmpty(key [32]byte, value string) (string, error) {
|
||||
if value == "" {
|
||||
return "", nil
|
||||
}
|
||||
return Encrypt(key, value)
|
||||
}
|
||||
@@ -51,6 +51,11 @@ func (s *Store) Close() error {
|
||||
return s.db.Close()
|
||||
}
|
||||
|
||||
// DB returns the underlying *sql.DB for advanced operations like transactions.
|
||||
func (s *Store) DB() *sql.DB {
|
||||
return s.db
|
||||
}
|
||||
|
||||
// migrate creates all tables if they do not already exist.
|
||||
func (s *Store) migrate() error {
|
||||
_, err := s.db.Exec(schema)
|
||||
|
||||
Reference in New Issue
Block a user