nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity
Files
95c6bccefb20e18f38e7241390a2133150779adb
smt/README.md
Nathan Coad 95c6bccefb
All checks were successful
continuous-integration/drone/push Build is passing
Details
fix request type for secret list
2023-04-13 14:11:13 +10:00

5.2 KiB
Raw Blame History

Secrets Management Tool (SMT)

Overview

Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database.

Requires JWT token to store/retrieve passwords.

This isn't super secure, probably not even as secure as Hashicorp Vault running in dev mode.

Installation

  1. Copy binary to chosen location, eg /srv/ccsecrets
  2. Create .env file in same directory as binary, populate as per Configuration section below
  3. Create systemd service definition
  4. Start service

Configuration

Environment Variable Name Description Example Default
LOG_FILE Specify the name/path of file to write log messages to /var/log/ccsecrets.log ./ccsecrets.log
BIND_IP Specify the local IP address to bind to. 127.0.0.1 Primary IPv4 address
BIND_PORT Specify the TCP/IP port to bind to. 443 8443
TLS_KEY_FILE Specify the filename of the TLS certificate private key (must be unencrypted) in PEM format key.pem privkey.pem
TLS_CERT_FILE Specify the filename of the TLS certificate file in PEM format cert.pem cert.pem
TOKEN_HOUR_LIFESPAN Number of hours that the JWT token returned at login is valid 12 No default specified, must define this value
API_SECRET Secret to use when generating JWT token 3c55990bd479322e2053db3a8 No default specified, must define this value
INITIAL_PASSWORD Password to set for builtin Administrator account created when first started, can remove this value after first start. Can specify in plaintext or bcrypt hash $2a$10$s39a82wrRAdOJVZEkkrSReVnXprz5mxU30ZBO.dHPYTncQCsUD9ce password
SECRETS_KEY Key to use for AES256 GCM encryption. Must be exactly 32 bytes AES256Key-32Characters1234567890 No default specified, must define this value

If the TLS certificate and key files cannot be located in the specified location, a self signed certificate will be generated with a 1 year validity period.

Systemd script

Create/update the systemd service definition at /etc/systemd/system/smt.service and then run systemctl daemon-reload

[Unit]
Description=Secrets Management Tool
After=network.target
#StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/srv/smt/smt

[Install]
WantedBy=multi-user.target

API

User Operations

Register

POST /api/admin/register

Data

{
    "username": "", 
    "password": "",
    "RoleId": 2
}

This operation can only be performed by a user with a role that is admin enabled. There are 3 built in roles, which can be viewed via the /api/admin/roles endpoint.

Login

POST /api/login

Data

{
    "username": "", 
    "password": ""
}

This API call will return a JWT token that must be present for any other API calls to succeed. The validity duration of this token is based on the configured TOKEN_HOUR_LIFESPAN value. JWT token is returned as value of access_token.

List Roles

GET /api/admin/roles

This operation can only be performed by a user with a role that is admin enabled. Lists currently defined roles.

List Users

GET /api/admin/users

This operation can only be performed by a user with a role that is admin enabled. Lists currently defined users.

Secrets Operations

Store

POST /api/secret/store

Data

{
    "deviceName": "",
    "deviceCategory": "",
    "userName": "",
    "secretValue": ""
}

Must be logged in to execute this command. Role of current user cannot be a ReadOnly role. Secret will be stored with the RoleId of the currently logged in user. Either deviceName or deviceCategory can be blank but not both.

If a secret exists for this RoleId and matching deviceName and deviceCategory then an error will be generated.

Retrieve

POST /api/secret/retrieve

Data

{
    "deviceName": "",
    "deviceCategory": ""
}

Must be logged in to execute this command. Only secrets registered with the current user's RoleId can be retrieved.

Either deviceName or deviceCategory can be specified (or both). Wildcards are supported for both deviceName and deviceCategory fields.

  1. The percent sign % wildcard matches any sequence of zero or more characters.
  2. The underscore _ wildcard matches any single character.

GET /api/secret/retrieve/name/<searchname>

Search for a secret specified by deviceName using a GET request. Must be logged in to execute this command. Only secrets registered with the current user's RoleId can be retrieved.

GET /api/secret/retrieve/category/<searchname>

Search for a secret specified by deviceCategory using a GET request. Must be logged in to execute this command. Only secrets registered with the current user's RoleId can be retrieved.

Update

POST /api/secret/update

Data

{
    "deviceName": "",
    "deviceCategory": "",
    "userName": "",
    "secretValue": ""
}

Users with ReadOnly role will receive Forbidden error when calling this API endpoint. The values specified in deviceName and deviceCategory must match exactly one existing secret record for the RoleId of the currently logged in user. Wildcards are supported for deviceName and deviceCategory.

List

GET /api/secret/list

Will generate a list of device names and categories but not secret data.