mc/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
be3bc807b7f6c038ce46585ecf205f75ee01c4f5
mcias/cmd/mciasdb/pgcreds.go
Kyle Isom 41d01edfb4 Migrate module path from kyle/ to mc/ org 
All import paths updated from git.wntrmute.dev/kyle/mcias to
git.wntrmute.dev/mc/mcias to match the Gitea organization.
Includes main module and clients/go submodule.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 02:03:46 -07:00

128 lines
4.0 KiB
Go
Raw Blame History

package main
import (
"errors"
"flag"
"fmt"
"os"
"git.wntrmute.dev/mc/mcias/internal/crypto"
"git.wntrmute.dev/mc/mcias/internal/db"
)
func (t *tool) runPGCreds(args []string) {
if len(args) == 0 {
fatalf("pgcreds requires a subcommand: get, set")
}
switch args[0] {
case "get":
t.pgCredsGet(args[1:])
case "set":
t.pgCredsSet(args[1:])
default:
fatalf("unknown pgcreds subcommand %q", args[0])
}
}
// pgCredsGet decrypts and prints Postgres credentials for an account.
// A warning is printed before the output to remind the operator that
// the password is sensitive and must not be logged.
//
// Security: Credentials are decrypted in-memory using the master key and
// printed directly to stdout. The operator is responsible for ensuring the
// terminal output is not captured in logs. The plaintext password is never
// written to disk.
func (t *tool) pgCredsGet(args []string) {
fs := flag.NewFlagSet("pgcreds get", flag.ExitOnError)
id := fs.String("id", "", "account UUID (required)")
_ = fs.Parse(args)
if *id == "" {
fatalf("pgcreds get: --id is required")
}
a, err := t.db.GetAccountByUUID(*id)
if err != nil {
fatalf("get account: %v", err)
}
cred, err := t.db.ReadPGCredentials(a.ID)
if errors.Is(err, db.ErrNotFound) {
fatalf("no Postgres credentials stored for account %s", a.Username)
}
if err != nil {
fatalf("read pg credentials: %v", err)
}
// Decrypt the password.
// Security: AES-256-GCM decryption; any tampering with the ciphertext or
// nonce will cause decryption to fail with an authentication error.
plaintext, err := crypto.OpenAESGCM(t.masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc)
if err != nil {
fatalf("decrypt pg password: %v", err)
}
if err := t.db.WriteAuditEvent("pgcred_accessed", nil, &a.ID, "", `{"actor":"mciasdb"}`); err != nil {
fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
}
// Print warning before sensitive output.
fmt.Fprintln(os.Stderr, "WARNING: output below contains a plaintext password. Do not log or share.")
fmt.Printf("Host: %s\n", cred.PGHost)
fmt.Printf("Port: %d\n", cred.PGPort)
fmt.Printf("Database: %s\n", cred.PGDatabase)
fmt.Printf("Username: %s\n", cred.PGUsername)
fmt.Printf("Password: %s\n", string(plaintext))
}
// pgCredsSet prompts for a Postgres password interactively, encrypts it with
// AES-256-GCM, and stores the credentials for the given account.
//
// Security: No --password flag is provided to prevent the password from
// appearing in shell history or process listings. Encryption uses a fresh
// random nonce each time.
func (t *tool) pgCredsSet(args []string) {
fs := flag.NewFlagSet("pgcreds set", flag.ExitOnError)
id := fs.String("id", "", "account UUID (required)")
host := fs.String("host", "", "Postgres host (required)")
port := fs.Int("port", 5432, "Postgres port")
dbName := fs.String("db", "", "Postgres database name (required)")
username := fs.String("user", "", "Postgres username (required)")
_ = fs.Parse(args)
if *id == "" || *host == "" || *dbName == "" || *username == "" {
fatalf("pgcreds set: --id, --host, --db, and --user are required")
}
a, err := t.db.GetAccountByUUID(*id)
if err != nil {
fatalf("get account: %v", err)
}
password, err := readPassword("Postgres password: ")
if err != nil {
fatalf("read password: %v", err)
}
if password == "" {
fatalf("password must not be empty")
}
// Encrypt the password at rest.
// Security: AES-256-GCM with a fresh random nonce ensures ciphertext
// uniqueness even if the same password is stored multiple times.
enc, nonce, err := crypto.SealAESGCM(t.masterKey, []byte(password))
if err != nil {
fatalf("encrypt pg password: %v", err)
}
if err := t.db.WritePGCredentials(a.ID, *host, *port, *dbName, *username, enc, nonce); err != nil {
fatalf("write pg credentials: %v", err)
}
if err := t.db.WriteAuditEvent("pgcred_updated", nil, &a.ID, "", `{"actor":"mciasdb"}`); err != nil {
fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
}
fmt.Printf("Postgres credentials stored for account %s\n", a.Username)
}
Reference in New Issue View Git Blame Copy Permalink