nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity
22 Commits 1 Branch 2 Tags
8432286101e1775939e71c7b6d403d7732121d8a
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Nathan Coad 8432286101 readme
2023-04-03 10:39:44 +10:00
controllers
updates
2023-04-03 10:38:53 +10:00
middlewares
admin only route is working
2023-03-29 19:52:46 +11:00
models
updates
2023-04-03 10:38:53 +10:00
utils
improve checks
2023-04-03 08:33:31 +10:00
.gitignore
improve checks
2023-04-03 08:33:31 +10:00
cert.pem
use TLS
2023-04-02 12:07:58 +10:00
go.mod
added login and test admin page
2023-03-29 14:44:50 +11:00
go.sum
added login and test admin page
2023-03-29 14:44:50 +11:00
key.pem
use TLS
2023-04-02 12:07:58 +10:00
main.go
updates
2023-04-03 10:11:56 +10:00
README.md
readme
2023-04-03 10:39:44 +10:00

README.md

CC Secrets

Overview

Design concepts at https://wiki.coadcorp.com/doc/secrets-management-idea-VGJMey7Wnd

Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database.

Requires JWT token to store/retrieve passwords.

This isn't super secure, probably not even as secure as Hashicorp Vault running in dev mode.

Installation

  1. Copy binary to chosen location, eg /srv/ccsecrets
  2. Create .env file in same directory as binary, populate as per Configuration section below
  3. Create systemd service definition
  4. Start service

Configuration

Environment Variable Name Description Example Default
LOG_FILE Specify the name/path of file to write log messages to /var/log/ccsecrets.log ./ccsecrets.log
BIND_IP Specify the local IP address to bind to. 127.0.0.1 Primary IPv4 address
BIND_PORT Specify the TCP/IP port to bind to. 443 8443
TLS_KEY_FILE Specify the filename of the TLS certificate private key (must be unencrypted) in PEM format key.pem privkey.pem
TLS_CERT_FILE Specify the filename of the TLS certificate file in PEM format cert.pem cert.pem
TOKEN_HOUR_LIFESPAN Number of hours that the JWT token returned at login is valid 12 No default specified, must define this value
API_SECRET Secret to use when generating JWT token 3c55990bd479322e2053db3a8 No default specified, must define this value
INITIAL_PASSWORD Password to set for builtin Administrator account created when first started, can remove this value after first start. Can specify in plaintext or bcrypt hash $2a$10$s39a82wrRAdOJVZEkkrSReVnXprz5mxU30ZBO.dHPYTncQCsUD9ce password
SECRETS_KEY Key to use for AES256 GCM encryption. Must be exactly 32 bytes AES256Key-32Characters1234567890 No default specified, must define this value

Systemd script

Create/update the systemd service definition at /etc/systemd/system/ccsecrets.service and then run systemctl daemon-reload

[Unit]
Description=CC Secrets Service
After=network.target
#StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/srv/ccsecrets/ccsecrets

[Install]
WantedBy=multi-user.target

API

User Operations

Register

POST /api/admin/register

Data

{
    "UserName": "", 
    "Password": "",
    "RoleId": 2
}

This operation can only be performed by a user with a role that is admin enabled.

Login

POST /api/login

Data

{
    "UserName": "", 
    "Password": ""
}

Secrets Operations

Store

Retrieve

Update

Description
No description provided
Readme 2.3 MiB
Releases 2
Working on database schema Latest
2024-01-16 15:12:34 +11:00
Languages
Go 80.3%
Shell 9.1%
HTML 5.3%
CSS 5.3%