package main import ( "errors" "flag" "fmt" "os" "git.wntrmute.dev/kyle/mcias/internal/crypto" "git.wntrmute.dev/kyle/mcias/internal/db" ) func (t *tool) runPGCreds(args []string) { if len(args) == 0 { fatalf("pgcreds requires a subcommand: get, set") } switch args[0] { case "get": t.pgCredsGet(args[1:]) case "set": t.pgCredsSet(args[1:]) default: fatalf("unknown pgcreds subcommand %q", args[0]) } } // pgCredsGet decrypts and prints Postgres credentials for an account. // A warning is printed before the output to remind the operator that // the password is sensitive and must not be logged. // // Security: Credentials are decrypted in-memory using the master key and // printed directly to stdout. The operator is responsible for ensuring the // terminal output is not captured in logs. The plaintext password is never // written to disk. func (t *tool) pgCredsGet(args []string) { fs := flag.NewFlagSet("pgcreds get", flag.ExitOnError) id := fs.String("id", "", "account UUID (required)") _ = fs.Parse(args) if *id == "" { fatalf("pgcreds get: --id is required") } a, err := t.db.GetAccountByUUID(*id) if err != nil { fatalf("get account: %v", err) } cred, err := t.db.ReadPGCredentials(a.ID) if errors.Is(err, db.ErrNotFound) { fatalf("no Postgres credentials stored for account %s", a.Username) } if err != nil { fatalf("read pg credentials: %v", err) } // Decrypt the password. // Security: AES-256-GCM decryption; any tampering with the ciphertext or // nonce will cause decryption to fail with an authentication error. plaintext, err := crypto.OpenAESGCM(t.masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc) if err != nil { fatalf("decrypt pg password: %v", err) } if err := t.db.WriteAuditEvent("pgcred_accessed", nil, &a.ID, "", `{"actor":"mciasdb"}`); err != nil { fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) } // Print warning before sensitive output. fmt.Fprintln(os.Stderr, "WARNING: output below contains a plaintext password. Do not log or share.") fmt.Printf("Host: %s\n", cred.PGHost) fmt.Printf("Port: %d\n", cred.PGPort) fmt.Printf("Database: %s\n", cred.PGDatabase) fmt.Printf("Username: %s\n", cred.PGUsername) fmt.Printf("Password: %s\n", string(plaintext)) } // pgCredsSet prompts for a Postgres password interactively, encrypts it with // AES-256-GCM, and stores the credentials for the given account. // // Security: No --password flag is provided to prevent the password from // appearing in shell history or process listings. Encryption uses a fresh // random nonce each time. func (t *tool) pgCredsSet(args []string) { fs := flag.NewFlagSet("pgcreds set", flag.ExitOnError) id := fs.String("id", "", "account UUID (required)") host := fs.String("host", "", "Postgres host (required)") port := fs.Int("port", 5432, "Postgres port") dbName := fs.String("db", "", "Postgres database name (required)") username := fs.String("user", "", "Postgres username (required)") _ = fs.Parse(args) if *id == "" || *host == "" || *dbName == "" || *username == "" { fatalf("pgcreds set: --id, --host, --db, and --user are required") } a, err := t.db.GetAccountByUUID(*id) if err != nil { fatalf("get account: %v", err) } password, err := readPassword("Postgres password: ") if err != nil { fatalf("read password: %v", err) } if password == "" { fatalf("password must not be empty") } // Encrypt the password at rest. // Security: AES-256-GCM with a fresh random nonce ensures ciphertext // uniqueness even if the same password is stored multiple times. enc, nonce, err := crypto.SealAESGCM(t.masterKey, []byte(password)) if err != nil { fatalf("encrypt pg password: %v", err) } if err := t.db.WritePGCredentials(a.ID, *host, *port, *dbName, *username, enc, nonce); err != nil { fatalf("write pg credentials: %v", err) } if err := t.db.WriteAuditEvent("pgcred_updated", nil, &a.ID, "", `{"actor":"mciasdb"}`); err != nil { fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) } fmt.Printf("Postgres credentials stored for account %s\n", a.Username) }