Merge pull request #16 from keylockerbv/feature/passphrase-prompt

Add passphrase fallback prompt

Author: florisvdg

Dockerfile

@@ -5,4 +5,4 @@ RUN apk add --no-cache ca-certificates && update-ca-certificates
 
 EXPOSE 8080
 
-CMD secrethub-http-proxy -C ${SECRETHUB_CREDENTIAL:-$(cat /secrethub/credential)} -P ${SECRETHUB_CREDENTIAL_PASSPHRASE} -h 0.0.0.0 -p 8080
+CMD secrethub-http-proxy -C ${SECRETHUB_CREDENTIAL:-$(cat /secrethub/credential)} -P ${SECRETHUB_CREDENTIAL_PASSPHRASE:-""} -h 0.0.0.0 -p 8080

cmd/secrethub-http-proxy/main.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/keylockerbv/secrethub-http-proxy/pkg/restproxy"
 	"github.com/secrethub/secrethub-go/pkg/secrethub"
+	"golang.org/x/crypto/ssh/terminal"
 )
 
 var (
@@ -32,14 +33,46 @@ func init() {
 		exit(fmt.Errorf("credential is required"))
 	}
 
-	cred, err := secrethub.NewCredential(credential, credentialPassphrase)
+	cred, err := findCredential(credential, credentialPassphrase)
 	if err != nil {
 		exit(err)
 	}
 
 	client = secrethub.NewClient(cred, nil)
 }
 
+func findCredential(credential string, passphrase string) (secrethub.Credential, error) {
+	parser := secrethub.NewCredentialParser(secrethub.DefaultCredentialDecoders)
+
+	encoded, err := parser.Parse(credential)
+	if err != nil {
+		return nil, err
+	}
+
+	if encoded.IsEncrypted() {
+		if passphrase == "" {
+			passphrase, err = promptPassword()
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		key, err := secrethub.NewPassBasedKey([]byte(passphrase))
+		if err != nil {
+			return nil, err
+		}
+
+		credential, err := encoded.DecodeEncrypted(key)
+		if err != nil {
+			return nil, err
+		}
+
+		return credential, err
+	}
+
+	return encoded.Decode()
+}
+
 func main() {
 	proxy := restproxy.NewRESTProxy(client, host, port)
 
@@ -52,6 +85,17 @@ func main() {
 	}
 }
 
+func promptPassword() (string, error) {
+	fmt.Printf("Please put in the passphrase to unlock your credential:")
+	password, err := terminal.ReadPassword(int(syscall.Stdin))
+	fmt.Println()
+	if err != nil {
+		return "", err
+	}
+
+	return string(password), nil
+}
+
 func gracefulShutdown(proxy restproxy.ClientProxy) {
 	sigint := make(chan os.Signal, 1)
 

go.mod

@@ -3,4 +3,6 @@ module github.com/keylockerbv/secrethub-http-proxy
 require (
 	github.com/gorilla/mux v1.7.0
 	github.com/secrethub/secrethub-go v0.17.0
+	golang.org/x/crypto v0.0.0-20190225124518-7f87c0fbb88b
+	golang.org/x/sys v0.0.0-20190329044733-9eb1bfa1ce65 // indirect
 )

go.sum

@@ -31,5 +31,7 @@ github.com/secrethub/secrethub-go v0.17.0 h1:AlRbFlLofhzY7Onv1QRI0u0iB4UTr8PCrNW
 github.com/secrethub/secrethub-go v0.17.0/go.mod h1:gqrxdTNcVowCy/Bo49Y+7En12aV24wnoG3ktUF9xW/k=
 golang.org/x/crypto v0.0.0-20190225124518-7f87c0fbb88b h1:+/WWzjwW6gidDJnMKWLKLX1gxn7irUTF1fLpQovfQ5M=
 golang.org/x/crypto v0.0.0-20190225124518-7f87c0fbb88b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/sys v0.0.0-20190329044733-9eb1bfa1ce65 h1:hOY+O8MxdkPV10pNf7/XEHaySCiPKxixMKUshfHsGn0=
+golang.org/x/sys v0.0.0-20190329044733-9eb1bfa1ce65/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=