# CC Secrets

## Overview

Design concepts at https://wiki.coadcorp.com/doc/secrets-management-idea-VGJMey7Wnd

Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database.

Requires JWT token to store/retrieve passwords.

This isn't super secure, probably not even as secure as Hashicorp Vault running in dev mode.

## Installation

1. Copy binary to chosen location, eg /srv/ccsecrets
2. Create .env file in same directory as binary, populate as per Configuration section below
3. Create systemd service definition
4. Start service

## Configuration
|Environment Variable Name| Description  | Example | Default |
|--|--|--|--|
| LOG_FILE | Specify the name/path of file to write log messages to | /var/log/ccsecrets.log | ./ccsecrets.log
| BIND_IP | Specify the local IP address to bind to. | 127.0.0.1 | Primary IPv4 address |
| BIND_PORT | Specify the TCP/IP port to bind to. | 443 | 8443 |
| TLS_KEY_FILE | Specify the filename of the TLS certificate private key (must be unencrypted) in PEM format | key.pem | privkey.pem |
| TLS_CERT_FILE | Specify the filename of the TLS certificate file in PEM format | cert.pem | cert.pem |
| TOKEN_HOUR_LIFESPAN | Number of hours that the JWT token returned at login is valid | 12 | No default specified, must define this value |
| API_SECRET | Secret to use when generating JWT token | 3c55990bd479322e2053db3a8 | No default specified, must define this value |
| INITIAL_PASSWORD | Password to set for builtin Administrator account created when first started, can remove this value after first start. Can specify in plaintext or bcrypt hash | $2a$10$s39a82wrRAdOJVZEkkrSReVnXprz5mxU30ZBO.dHPYTncQCsUD9ce | password
| SECRETS_KEY | Key to use for AES256 GCM encryption. Must be exactly 32 bytes | AES256Key-32Characters1234567890 | No default specified, must define this value |

## Systemd script

Create/update the systemd service definition at /etc/systemd/system/ccsecrets.service and then run systemctl daemon-reload
```
[Unit]
Description=CC Secrets Service
After=network.target
#StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/srv/ccsecrets/ccsecrets

[Install]
WantedBy=multi-user.target
```
## API

### User Operations

#### Register
POST `/api/admin/register`

Data
```
{
    "UserName": "", 
    "Password": "",
    "RoleId": 2
}
```

This operation can only be performed by a user with a role that is admin enabled.

#### Login
POST `/api/login`

Data
```
{
    "UserName": "", 
    "Password": ""
}
```

### Secrets Operations

#### Store
#### Retrieve
#### Update