mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use mcdsl/terminal for all password prompts

Browse Source 
Replace direct golang.org/x/term calls with mcdsl/terminal across init,
unseal, migrate-aad, and migrate-barrier commands. Seal password prompts
use ReadPasswordBytes to preserve zeroization capability.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-28 11:40:19 -07:00
parent b8dc39fd12
commit 131d3e778a
6 changed files with 15 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
cmd/metacrypt/init.go
View File

@@ -5,11 +5,10 @@ import (
"fmt" "fmt"
"log/slog" "log/slog"
"os" "os"
"syscall"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"golang.org/x/term"
"git.wntrmute.dev/mc/mcdsl/terminal"
"git.wntrmute.dev/mc/metacrypt/internal/barrier" "git.wntrmute.dev/mc/metacrypt/internal/barrier"
"git.wntrmute.dev/mc/metacrypt/internal/config" "git.wntrmute.dev/mc/metacrypt/internal/config"
"git.wntrmute.dev/mc/metacrypt/internal/crypto" "git.wntrmute.dev/mc/metacrypt/internal/crypto"
@@ -59,16 +58,12 @@ func runInit(cmd *cobra.Command, args []string) error {
return fmt.Errorf("already initialized") return fmt.Errorf("already initialized")
} }
fmt.Print("Enter seal password: ") pw1, err := terminal.ReadPasswordBytes("Enter seal password: ")
pw1, err := term.ReadPassword(int(syscall.Stdin))
fmt.Println()
if err != nil { if err != nil {
return fmt.Errorf("reading password: %w", err) return fmt.Errorf("reading password: %w", err)
} }
fmt.Print("Confirm seal password: ") pw2, err := terminal.ReadPasswordBytes("Confirm seal password: ")
pw2, err := term.ReadPassword(int(syscall.Stdin))
fmt.Println()
if err != nil { if err != nil {
return fmt.Errorf("reading password: %w", err) return fmt.Errorf("reading password: %w", err)
} }

8
cmd/metacrypt/migrate_aad.go
View File

@@ -4,12 +4,10 @@ import (
"context" "context"
"database/sql" "database/sql"
"fmt" "fmt"
"os"
"syscall"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"golang.org/x/term"
"git.wntrmute.dev/mc/mcdsl/terminal"
"git.wntrmute.dev/mc/metacrypt/internal/config" "git.wntrmute.dev/mc/metacrypt/internal/config"
"git.wntrmute.dev/mc/metacrypt/internal/crypto" "git.wntrmute.dev/mc/metacrypt/internal/crypto"
"git.wntrmute.dev/mc/metacrypt/internal/db" "git.wntrmute.dev/mc/metacrypt/internal/db"
@@ -52,9 +50,7 @@ func runMigrateAAD(cmd *cobra.Command, args []string) error {
defer func() { _ = database.Close() }() defer func() { _ = database.Close() }()
// Read unseal password. // Read unseal password.
fmt.Fprint(os.Stderr, "Unseal password: ") passwordBytes, err := terminal.ReadPasswordBytes("Unseal password: ")
passwordBytes, err := term.ReadPassword(int(syscall.Stdin))
fmt.Fprintln(os.Stderr)
if err != nil { if err != nil {
return fmt.Errorf("read password: %w", err) return fmt.Errorf("read password: %w", err)
} }

8
cmd/metacrypt/migrate_barrier.go
View File

@@ -4,12 +4,10 @@ import (
"context" "context"
"database/sql" "database/sql"
"fmt" "fmt"
"os"
"syscall"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"golang.org/x/term"
"git.wntrmute.dev/mc/mcdsl/terminal"
"git.wntrmute.dev/mc/metacrypt/internal/barrier" "git.wntrmute.dev/mc/metacrypt/internal/barrier"
"git.wntrmute.dev/mc/metacrypt/internal/config" "git.wntrmute.dev/mc/metacrypt/internal/config"
"git.wntrmute.dev/mc/metacrypt/internal/crypto" "git.wntrmute.dev/mc/metacrypt/internal/crypto"
@@ -62,9 +60,7 @@ func runMigrateBarrier(cmd *cobra.Command, args []string) error {
} }
// Read unseal password. // Read unseal password.
fmt.Fprint(os.Stderr, "Unseal password: ") passwordBytes, err := terminal.ReadPasswordBytes("Unseal password: ")
passwordBytes, err := term.ReadPassword(int(syscall.Stdin))
fmt.Fprintln(os.Stderr)
if err != nil { if err != nil {
return fmt.Errorf("read password: %w", err) return fmt.Errorf("read password: %w", err)
} }

10
cmd/metacrypt/unseal.go
View File

@@ -11,10 +11,10 @@ import (
"os" "os"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"golang.org/x/term"
"google.golang.org/grpc" "google.golang.org/grpc"
"google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials"
"git.wntrmute.dev/mc/mcdsl/terminal"
metacryptv1 "git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1" metacryptv1 "git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1"
) )
@@ -43,17 +43,15 @@ func runUnseal(cmd *cobra.Command, args []string) error {
return fmt.Errorf("one of --grpc-addr or --addr is required") return fmt.Errorf("one of --grpc-addr or --addr is required")
} }
fmt.Print("Unseal password: ") password, err := terminal.ReadPassword("Unseal password: ")
passwordBytes, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec
fmt.Println()
if err != nil { if err != nil {
return fmt.Errorf("read password: %w", err) return fmt.Errorf("read password: %w", err)
} }
if unsealGRPCAddr != "" { if unsealGRPCAddr != "" {
return unsealViaGRPC(unsealGRPCAddr, unsealCACert, string(passwordBytes)) return unsealViaGRPC(unsealGRPCAddr, unsealCACert, password)
} }
return unsealViaREST(unsealAddr, unsealCACert, string(passwordBytes)) return unsealViaREST(unsealAddr, unsealCACert, password)
} }
func buildTLSConfig(caCertPath string) (*tls.Config, error) { func buildTLSConfig(caCertPath string) (*tls.Config, error) {

4
go.mod
View File

@@ -4,12 +4,11 @@ go 1.25.7
require ( require (
git.wntrmute.dev/kyle/goutils v1.21.0 git.wntrmute.dev/kyle/goutils v1.21.0
git.wntrmute.dev/mc/mcdsl v1.2.0 git.wntrmute.dev/mc/mcdsl v1.4.0
github.com/go-chi/chi/v5 v5.2.5 github.com/go-chi/chi/v5 v5.2.5
github.com/spf13/cobra v1.10.2 github.com/spf13/cobra v1.10.2
github.com/spf13/viper v1.21.0 github.com/spf13/viper v1.21.0
golang.org/x/crypto v0.49.0 golang.org/x/crypto v0.49.0
golang.org/x/term v0.41.0
google.golang.org/grpc v1.79.3 google.golang.org/grpc v1.79.3
google.golang.org/protobuf v1.36.11 google.golang.org/protobuf v1.36.11
) )
@@ -33,6 +32,7 @@ require (
go.yaml.in/yaml/v3 v3.0.4 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/net v0.51.0 // indirect golang.org/x/net v0.51.0 // indirect
golang.org/x/sys v0.42.0 // indirect golang.org/x/sys v0.42.0 // indirect
golang.org/x/term v0.41.0 // indirect
golang.org/x/text v0.35.0 // indirect golang.org/x/text v0.35.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
modernc.org/libc v1.70.0 // indirect modernc.org/libc v1.70.0 // indirect

4
go.sum
View File

@@ -1,7 +1,7 @@
git.wntrmute.dev/kyle/goutils v1.21.0 h1:ZR7ovV400hsF09zc8tkdHs6vyen8TDJ7flong/dnFXM= git.wntrmute.dev/kyle/goutils v1.21.0 h1:ZR7ovV400hsF09zc8tkdHs6vyen8TDJ7flong/dnFXM=
git.wntrmute.dev/kyle/goutils v1.21.0/go.mod h1:JQ8NL5lHSEYl719UMf20p4G1ei70RVGma0hjjNXCR2c= git.wntrmute.dev/kyle/goutils v1.21.0/go.mod h1:JQ8NL5lHSEYl719UMf20p4G1ei70RVGma0hjjNXCR2c=
git.wntrmute.dev/mc/mcdsl v1.2.0 h1:41hep7/PNZJfN0SN/nM+rQpyF1GSZcvNNjyVG81DI7U= git.wntrmute.dev/mc/mcdsl v1.4.0 h1:PsEIyskcjBduwHSRwNB/U/uSeU/cv3C8MVr0SRjBRLg=
git.wntrmute.dev/mc/mcdsl v1.2.0/go.mod h1:lXYrAt74ZUix6rx9oVN8d2zH1YJoyp4uxPVKQ+SSxuM= git.wntrmute.dev/mc/mcdsl v1.4.0/go.mod h1:MhYahIu7Sg53lE2zpQ20nlrsoNRjQzOJBAlCmom2wJc=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=