From b8e348db03841affac9b6e2d356bad31dfe85ed4 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 15 Mar 2026 16:38:17 +0000 Subject: [PATCH] Add TLS unsealing via gRPC to CLI and server Implements the SystemService gRPC endpoint (Status, Init, Unseal, Seal) alongside the existing REST API, secured with the same TLS certificate. The `metacrypt unseal` CLI command now prefers gRPC when --grpc-addr is provided, falling back to the REST API via --addr. Both transports require TLS; a custom CA certificate can be supplied with --ca-cert. Server changes: - internal/server/grpc.go: SystemServiceServer implementation with StartGRPC/ShutdownGRPC methods; uses the TLS cert from config. - internal/server/server.go: adds grpcSrv field and grpc import. - cmd/metacrypt/server.go: starts gRPC goroutine when grpc_addr is set in config, shuts it down on signal. Generated code (from proto/metacrypt/v1/system.proto): - gen/metacrypt/v1/system.pb.go: protobuf message types - gen/metacrypt/v1/system_grpc.pb.go: gRPC client/server stubs Dependencies added to go.mod (run `go mod tidy` to populate go.sum): - google.golang.org/grpc v1.71.1 - google.golang.org/protobuf v1.36.5 - google.golang.org/genproto/googleapis/rpc (indirect) - golang.org/x/net (indirect) https://claude.ai/code/session_013m1QXGoTB4jaPUN5gwir8F --- cmd/metacrypt/server.go | 10 + cmd/metacrypt/unseal.go | 132 ++++++++++ gen/metacrypt/v1/system.pb.go | 381 +++++++++++++++++++++++++++++ gen/metacrypt/v1/system_grpc.pb.go | 208 ++++++++++++++++ go.mod | 4 + internal/server/grpc.go | 125 ++++++++++ internal/server/server.go | 2 + 7 files changed, 862 insertions(+) create mode 100644 cmd/metacrypt/unseal.go create mode 100644 gen/metacrypt/v1/system.pb.go create mode 100644 gen/metacrypt/v1/system_grpc.pb.go create mode 100644 internal/server/grpc.go diff --git a/cmd/metacrypt/server.go b/cmd/metacrypt/server.go index 16687e6..7ba9dba 100644 --- a/cmd/metacrypt/server.go +++ b/cmd/metacrypt/server.go @@ -86,7 +86,17 @@ func runServer(cmd *cobra.Command, args []string) error { } }() + if cfg.Server.GRPCAddr != "" { + go func() { + if err := srv.StartGRPC(); err != nil { + logger.Error("grpc server error", "error", err) + os.Exit(1) + } + }() + } + <-ctx.Done() logger.Info("shutting down") + srv.ShutdownGRPC() return srv.Shutdown(context.Background()) } diff --git a/cmd/metacrypt/unseal.go b/cmd/metacrypt/unseal.go new file mode 100644 index 0000000..d91ff1c --- /dev/null +++ b/cmd/metacrypt/unseal.go @@ -0,0 +1,132 @@ +package main + +import ( + "bytes" + "context" + "crypto/tls" + "crypto/x509" + "encoding/json" + "fmt" + "net/http" + "os" + + "github.com/spf13/cobra" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "golang.org/x/term" + + metacryptv1 "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1" +) + +var unsealCmd = &cobra.Command{ + Use: "unseal", + Short: "Unseal the Metacrypt service", + Long: "Send an unseal request to a running Metacrypt server over TLS. Uses gRPC when --grpc-addr is provided, otherwise falls back to the REST API.", + RunE: runUnseal, +} + +var ( + unsealAddr string + unsealGRPCAddr string + unsealCACert string +) + +func init() { + unsealCmd.Flags().StringVar(&unsealAddr, "addr", "", "REST server address (e.g., https://localhost:8443)") + unsealCmd.Flags().StringVar(&unsealGRPCAddr, "grpc-addr", "", "gRPC server address (e.g., localhost:9443); preferred over --addr when set") + unsealCmd.Flags().StringVar(&unsealCACert, "ca-cert", "", "path to CA certificate for TLS verification") + rootCmd.AddCommand(unsealCmd) +} + +func runUnseal(cmd *cobra.Command, args []string) error { + if unsealGRPCAddr == "" && unsealAddr == "" { + return fmt.Errorf("one of --grpc-addr or --addr is required") + } + + fmt.Print("Unseal password: ") + passwordBytes, err := term.ReadPassword(int(os.Stdin.Fd())) + fmt.Println() + if err != nil { + return fmt.Errorf("read password: %w", err) + } + + if unsealGRPCAddr != "" { + return unsealViaGRPC(unsealGRPCAddr, unsealCACert, string(passwordBytes)) + } + return unsealViaREST(unsealAddr, unsealCACert, string(passwordBytes)) +} + +func buildTLSConfig(caCertPath string) (*tls.Config, error) { + tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12} + if caCertPath != "" { + pem, err := os.ReadFile(caCertPath) + if err != nil { + return nil, fmt.Errorf("read CA cert: %w", err) + } + pool := x509.NewCertPool() + if !pool.AppendCertsFromPEM(pem) { + return nil, fmt.Errorf("no valid certs in CA file") + } + tlsCfg.RootCAs = pool + } + return tlsCfg, nil +} + +func unsealViaGRPC(addr, caCertPath, password string) error { + tlsCfg, err := buildTLSConfig(caCertPath) + if err != nil { + return err + } + + conn, err := grpc.NewClient(addr, grpc.WithTransportCredentials(credentials.NewTLS(tlsCfg))) + if err != nil { + return fmt.Errorf("grpc dial: %w", err) + } + defer conn.Close() + + client := metacryptv1.NewSystemServiceClient(conn) + resp, err := client.Unseal(context.Background(), &metacryptv1.UnsealRequest{Password: password}) + if err != nil { + return fmt.Errorf("unseal failed: %w", err) + } + + fmt.Printf("State: %s\n", resp.State) + return nil +} + +func unsealViaREST(addr, caCertPath, password string) error { + tlsCfg, err := buildTLSConfig(caCertPath) + if err != nil { + return err + } + + client := &http.Client{ + Transport: &http.Transport{TLSClientConfig: tlsCfg}, + } + + body, err := json.Marshal(map[string]string{"password": password}) + if err != nil { + return fmt.Errorf("encode request: %w", err) + } + + resp, err := client.Post(addr+"/v1/unseal", "application/json", bytes.NewReader(body)) + if err != nil { + return err + } + defer resp.Body.Close() + + var result struct { + State string `json:"state"` + Error string `json:"error"` + } + if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { + return fmt.Errorf("decode response: %w", err) + } + + if result.Error != "" { + return fmt.Errorf("unseal failed: %s", result.Error) + } + + fmt.Printf("State: %s\n", result.State) + return nil +} diff --git a/gen/metacrypt/v1/system.pb.go b/gen/metacrypt/v1/system.pb.go new file mode 100644 index 0000000..f25cfb3 --- /dev/null +++ b/gen/metacrypt/v1/system.pb.go @@ -0,0 +1,381 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: proto/metacrypt/v1/system.proto + +package metacryptv1 + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type StatusRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *StatusRequest) Reset() { + *x = StatusRequest{} + mi := &file_system_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} +func (x *StatusRequest) String() string { return protoimpl.X.MessageStringOf(x) } +func (*StatusRequest) ProtoMessage() {} +func (x *StatusRequest) ProtoReflect() protoreflect.Message { + mi := &file_system_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +type StatusResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + State string `protobuf:"bytes,1,opt,name=state,proto3" json:"state,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *StatusResponse) Reset() { + *x = StatusResponse{} + mi := &file_system_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} +func (x *StatusResponse) String() string { return protoimpl.X.MessageStringOf(x) } +func (*StatusResponse) ProtoMessage() {} +func (x *StatusResponse) ProtoReflect() protoreflect.Message { + mi := &file_system_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} +func (x *StatusResponse) GetState() string { + if x != nil { + return x.State + } + return "" +} + +type InitRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Password string `protobuf:"bytes,1,opt,name=password,proto3" json:"password,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *InitRequest) Reset() { + *x = InitRequest{} + mi := &file_system_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} +func (x *InitRequest) String() string { return protoimpl.X.MessageStringOf(x) } +func (*InitRequest) ProtoMessage() {} +func (x *InitRequest) ProtoReflect() protoreflect.Message { + mi := &file_system_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} +func (x *InitRequest) GetPassword() string { + if x != nil { + return x.Password + } + return "" +} + +type InitResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + State string `protobuf:"bytes,1,opt,name=state,proto3" json:"state,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *InitResponse) Reset() { + *x = InitResponse{} + mi := &file_system_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} +func (x *InitResponse) String() string { return protoimpl.X.MessageStringOf(x) } +func (*InitResponse) ProtoMessage() {} +func (x *InitResponse) ProtoReflect() protoreflect.Message { + mi := &file_system_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} +func (x *InitResponse) GetState() string { + if x != nil { + return x.State + } + return "" +} + +type UnsealRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Password string `protobuf:"bytes,1,opt,name=password,proto3" json:"password,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *UnsealRequest) Reset() { + *x = UnsealRequest{} + mi := &file_system_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} +func (x *UnsealRequest) String() string { return protoimpl.X.MessageStringOf(x) } +func (*UnsealRequest) ProtoMessage() {} +func (x *UnsealRequest) ProtoReflect() protoreflect.Message { + mi := &file_system_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} +func (x *UnsealRequest) GetPassword() string { + if x != nil { + return x.Password + } + return "" +} + +type UnsealResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + State string `protobuf:"bytes,1,opt,name=state,proto3" json:"state,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *UnsealResponse) Reset() { + *x = UnsealResponse{} + mi := &file_system_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} +func (x *UnsealResponse) String() string { return protoimpl.X.MessageStringOf(x) } +func (*UnsealResponse) ProtoMessage() {} +func (x *UnsealResponse) ProtoReflect() protoreflect.Message { + mi := &file_system_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} +func (x *UnsealResponse) GetState() string { + if x != nil { + return x.State + } + return "" +} + +type SealRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SealRequest) Reset() { + *x = SealRequest{} + mi := &file_system_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} +func (x *SealRequest) String() string { return protoimpl.X.MessageStringOf(x) } +func (*SealRequest) ProtoMessage() {} +func (x *SealRequest) ProtoReflect() protoreflect.Message { + mi := &file_system_proto_msgTypes[6] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +type SealResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + State string `protobuf:"bytes,1,opt,name=state,proto3" json:"state,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SealResponse) Reset() { + *x = SealResponse{} + mi := &file_system_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} +func (x *SealResponse) String() string { return protoimpl.X.MessageStringOf(x) } +func (*SealResponse) ProtoMessage() {} +func (x *SealResponse) ProtoReflect() protoreflect.Message { + mi := &file_system_proto_msgTypes[7] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} +func (x *SealResponse) GetState() string { + if x != nil { + return x.State + } + return "" +} + +// file descriptor compiled from proto/metacrypt/v1/system.proto +var file_system_proto_rawDesc = []byte{ + 0x0a, 0x1e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, + 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x12, 0x0c, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, 0x22, + 0x0f, 0x0a, 0x0d, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x22, 0x27, 0x0a, 0x0e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x15, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x28, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, + 0x6f, 0x72, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, + 0x6f, 0x72, 0x64, 0x22, 0x25, 0x0a, 0x0c, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x15, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x2a, 0x0a, 0x0d, 0x55, 0x6e, 0x73, + 0x65, 0x61, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x61, + 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, + 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x22, 0x27, 0x0a, 0x0e, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x15, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, + 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x0d, + 0x0a, 0x0b, 0x53, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x25, 0x0a, + 0x0c, 0x53, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x15, 0x0a, + 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x73, 0x74, + 0x61, 0x74, 0x65, 0x32, 0xc7, 0x01, 0x0a, 0x0d, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x38, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, + 0x1b, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, + 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x6d, + 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x74, 0x61, 0x74, + 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x32, 0x0a, 0x04, 0x49, 0x6e, + 0x69, 0x74, 0x12, 0x19, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, + 0x31, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1a, 0x2e, + 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, 0x69, + 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x38, 0x0a, 0x06, 0x55, 0x6e, 0x73, + 0x65, 0x61, 0x6c, 0x12, 0x1b, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, + 0x76, 0x31, 0x2e, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x1c, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, 0x2e, + 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x0e, + 0x0a, 0x04, 0x53, 0x65, 0x61, 0x6c, 0x12, 0x19, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, + 0x70, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x1a, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, + 0x2e, 0x53, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x44, 0x5a, + 0x42, 0x67, 0x69, 0x74, 0x2e, 0x77, 0x6e, 0x74, 0x72, 0x6d, 0x75, 0x74, 0x65, 0x2e, 0x64, 0x65, + 0x76, 0x2f, 0x6b, 0x79, 0x6c, 0x65, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, + 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x76, + 0x31, 0x3b, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_system_proto_rawDescOnce sync.Once + file_system_proto_rawDescData []byte +) + +func file_system_proto_rawDescGZIP() []byte { + file_system_proto_rawDescOnce.Do(func() { + file_system_proto_rawDescData = file_system_proto_rawDesc + }) + return file_system_proto_rawDescData +} + +var file_system_proto_msgTypes = make([]protoimpl.MessageInfo, 8) +var file_system_proto_goTypes = []any{ + (*StatusRequest)(nil), // 0 + (*StatusResponse)(nil), // 1 + (*InitRequest)(nil), // 2 + (*InitResponse)(nil), // 3 + (*UnsealRequest)(nil), // 4 + (*UnsealResponse)(nil), // 5 + (*SealRequest)(nil), // 6 + (*SealResponse)(nil), // 7 +} +var file_system_proto_depIdxs = []int32{ + 0, // 0: metacrypt.v1.SystemService.Status:input_type -> metacrypt.v1.StatusRequest + 2, // 1: metacrypt.v1.SystemService.Init:input_type -> metacrypt.v1.InitRequest + 4, // 2: metacrypt.v1.SystemService.Unseal:input_type -> metacrypt.v1.UnsealRequest + 6, // 3: metacrypt.v1.SystemService.Seal:input_type -> metacrypt.v1.SealRequest + 1, // 4: metacrypt.v1.SystemService.Status:output_type -> metacrypt.v1.StatusResponse + 3, // 5: metacrypt.v1.SystemService.Init:output_type -> metacrypt.v1.InitResponse + 5, // 6: metacrypt.v1.SystemService.Unseal:output_type -> metacrypt.v1.UnsealResponse + 7, // 7: metacrypt.v1.SystemService.Seal:output_type -> metacrypt.v1.SealResponse + 4, // [4:8] is the sub-list for method output_type + 0, // [0:4] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_system_proto_init() } + +func file_system_proto_init() { + if File_system_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_system_proto_rawDesc, + NumEnums: 0, + NumMessages: 8, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_system_proto_goTypes, + DependencyIndexes: file_system_proto_depIdxs, + MessageInfos: file_system_proto_msgTypes, + }.Build() + File_system_proto = out.File + file_system_proto_rawDescData = nil + file_system_proto_goTypes = nil + file_system_proto_depIdxs = nil +} + +// File_system_proto is the protoreflect.FileDescriptor for proto/metacrypt/v1/system.proto. +var File_system_proto protoreflect.FileDescriptor diff --git a/gen/metacrypt/v1/system_grpc.pb.go b/gen/metacrypt/v1/system_grpc.pb.go new file mode 100644 index 0000000..a2e6b74 --- /dev/null +++ b/gen/metacrypt/v1/system_grpc.pb.go @@ -0,0 +1,208 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// source: proto/metacrypt/v1/system.proto + +package metacryptv1 + +import ( + context "context" + + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// SystemServiceClient is the client API for SystemService. +type SystemServiceClient interface { + Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) + Init(ctx context.Context, in *InitRequest, opts ...grpc.CallOption) (*InitResponse, error) + Unseal(ctx context.Context, in *UnsealRequest, opts ...grpc.CallOption) (*UnsealResponse, error) + Seal(ctx context.Context, in *SealRequest, opts ...grpc.CallOption) (*SealResponse, error) +} + +type systemServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewSystemServiceClient(cc grpc.ClientConnInterface) SystemServiceClient { + return &systemServiceClient{cc} +} + +func (c *systemServiceClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(StatusResponse) + err := c.cc.Invoke(ctx, SystemService_Status_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *systemServiceClient) Init(ctx context.Context, in *InitRequest, opts ...grpc.CallOption) (*InitResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(InitResponse) + err := c.cc.Invoke(ctx, SystemService_Init_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *systemServiceClient) Unseal(ctx context.Context, in *UnsealRequest, opts ...grpc.CallOption) (*UnsealResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(UnsealResponse) + err := c.cc.Invoke(ctx, SystemService_Unseal_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *systemServiceClient) Seal(ctx context.Context, in *SealRequest, opts ...grpc.CallOption) (*SealResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(SealResponse) + err := c.cc.Invoke(ctx, SystemService_Seal_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// SystemServiceServer is the server API for SystemService. +type SystemServiceServer interface { + Status(context.Context, *StatusRequest) (*StatusResponse, error) + Init(context.Context, *InitRequest) (*InitResponse, error) + Unseal(context.Context, *UnsealRequest) (*UnsealResponse, error) + Seal(context.Context, *SealRequest) (*SealResponse, error) + mustEmbedUnimplementedSystemServiceServer() +} + +// UnimplementedSystemServiceServer must be embedded to have forward-compatible implementations. +type UnimplementedSystemServiceServer struct{} + +func (UnimplementedSystemServiceServer) Status(context.Context, *StatusRequest) (*StatusResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Status not implemented") +} +func (UnimplementedSystemServiceServer) Init(context.Context, *InitRequest) (*InitResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Init not implemented") +} +func (UnimplementedSystemServiceServer) Unseal(context.Context, *UnsealRequest) (*UnsealResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Unseal not implemented") +} +func (UnimplementedSystemServiceServer) Seal(context.Context, *SealRequest) (*SealResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Seal not implemented") +} +func (UnimplementedSystemServiceServer) mustEmbedUnimplementedSystemServiceServer() {} + +// UnsafeSystemServiceServer may be embedded to opt out of forward compatibility. +type UnsafeSystemServiceServer interface { + mustEmbedUnimplementedSystemServiceServer() +} + +const ( + SystemService_Status_FullMethodName = "/metacrypt.v1.SystemService/Status" + SystemService_Init_FullMethodName = "/metacrypt.v1.SystemService/Init" + SystemService_Unseal_FullMethodName = "/metacrypt.v1.SystemService/Unseal" + SystemService_Seal_FullMethodName = "/metacrypt.v1.SystemService/Seal" +) + +func RegisterSystemServiceServer(s grpc.ServiceRegistrar, srv SystemServiceServer) { + s.RegisterService(&SystemService_ServiceDesc, srv) +} + +func _SystemService_Status_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(StatusRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SystemServiceServer).Status(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SystemService_Status_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SystemServiceServer).Status(ctx, req.(*StatusRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _SystemService_Init_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(InitRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SystemServiceServer).Init(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SystemService_Init_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SystemServiceServer).Init(ctx, req.(*InitRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _SystemService_Unseal_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(UnsealRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SystemServiceServer).Unseal(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SystemService_Unseal_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SystemServiceServer).Unseal(ctx, req.(*UnsealRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _SystemService_Seal_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(SealRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SystemServiceServer).Seal(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SystemService_Seal_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SystemServiceServer).Seal(ctx, req.(*SealRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// SystemService_ServiceDesc is the grpc.ServiceDesc for SystemService service. +var SystemService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "metacrypt.v1.SystemService", + HandlerType: (*SystemServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Status", + Handler: _SystemService_Status_Handler, + }, + { + MethodName: "Init", + Handler: _SystemService_Init_Handler, + }, + { + MethodName: "Unseal", + Handler: _SystemService_Unseal_Handler, + }, + { + MethodName: "Seal", + Handler: _SystemService_Seal_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "proto/metacrypt/v1/system.proto", +} diff --git a/go.mod b/go.mod index d7cccb1..0a4afac 100644 --- a/go.mod +++ b/go.mod @@ -15,6 +15,8 @@ require ( github.com/spf13/viper v1.21.0 golang.org/x/crypto v0.49.0 golang.org/x/term v0.41.0 + google.golang.org/grpc v1.71.1 + google.golang.org/protobuf v1.36.5 modernc.org/sqlite v1.46.1 ) @@ -35,8 +37,10 @@ require ( github.com/subosito/gotenv v1.6.0 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect + golang.org/x/net v0.40.0 // indirect golang.org/x/sys v0.42.0 // indirect golang.org/x/text v0.35.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect modernc.org/libc v1.67.6 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect diff --git a/internal/server/grpc.go b/internal/server/grpc.go new file mode 100644 index 0000000..27ebcfd --- /dev/null +++ b/internal/server/grpc.go @@ -0,0 +1,125 @@ +package server + +import ( + "context" + "crypto/tls" + "fmt" + "net" + + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/credentials" + grpcstatus "google.golang.org/grpc/status" + + metacryptv1 "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1" + "git.wntrmute.dev/kyle/metacrypt/internal/crypto" + "git.wntrmute.dev/kyle/metacrypt/internal/seal" +) + +// systemServiceServer implements metacryptv1.SystemServiceServer. +type systemServiceServer struct { + metacryptv1.UnimplementedSystemServiceServer + s *Server +} + +func (g *systemServiceServer) Status(_ context.Context, _ *metacryptv1.StatusRequest) (*metacryptv1.StatusResponse, error) { + return &metacryptv1.StatusResponse{State: g.s.seal.State().String()}, nil +} + +func (g *systemServiceServer) Init(ctx context.Context, req *metacryptv1.InitRequest) (*metacryptv1.InitResponse, error) { + params := crypto.Argon2Params{ + Time: g.s.cfg.Seal.Argon2Time, + Memory: g.s.cfg.Seal.Argon2Memory, + Threads: g.s.cfg.Seal.Argon2Threads, + } + if err := g.s.seal.Initialize(ctx, []byte(req.Password), params); err != nil { + if err == seal.ErrAlreadyInitialized { + return nil, grpcstatus.Error(codes.AlreadyExists, "already initialized") + } + g.s.logger.Error("grpc init failed", "error", err) + return nil, grpcstatus.Error(codes.Internal, "initialization failed") + } + return &metacryptv1.InitResponse{State: g.s.seal.State().String()}, nil +} + +func (g *systemServiceServer) Unseal(ctx context.Context, req *metacryptv1.UnsealRequest) (*metacryptv1.UnsealResponse, error) { + if err := g.s.seal.Unseal([]byte(req.Password)); err != nil { + switch err { + case seal.ErrNotInitialized: + return nil, grpcstatus.Error(codes.FailedPrecondition, "not initialized") + case seal.ErrInvalidPassword: + return nil, grpcstatus.Error(codes.Unauthenticated, "invalid password") + case seal.ErrRateLimited: + return nil, grpcstatus.Error(codes.ResourceExhausted, "too many attempts, try again later") + case seal.ErrNotSealed: + return nil, grpcstatus.Error(codes.AlreadyExists, "already unsealed") + default: + g.s.logger.Error("grpc unseal failed", "error", err) + return nil, grpcstatus.Error(codes.Internal, "unseal failed") + } + } + + if err := g.s.engines.UnsealAll(ctx); err != nil { + g.s.logger.Error("grpc engine unseal failed", "error", err) + return nil, grpcstatus.Error(codes.Internal, "engine unseal failed") + } + + return &metacryptv1.UnsealResponse{State: g.s.seal.State().String()}, nil +} + +func (g *systemServiceServer) Seal(_ context.Context, _ *metacryptv1.SealRequest) (*metacryptv1.SealResponse, error) { + if err := g.s.engines.SealAll(); err != nil { + g.s.logger.Error("grpc seal engines failed", "error", err) + } + if err := g.s.seal.Seal(); err != nil { + g.s.logger.Error("grpc seal failed", "error", err) + return nil, grpcstatus.Error(codes.Internal, "seal failed") + } + g.s.auth.ClearCache() + return &metacryptv1.SealResponse{State: g.s.seal.State().String()}, nil +} + +// StartGRPC starts the gRPC server on cfg.Server.GRPCAddr using the same TLS +// certificate as the HTTP server. It blocks until the listener closes. +func (s *Server) StartGRPC() error { + if s.cfg.Server.GRPCAddr == "" { + return nil + } + + cert, err := tls.LoadX509KeyPair(s.cfg.Server.TLSCert, s.cfg.Server.TLSKey) + if err != nil { + return fmt.Errorf("grpc: load TLS key pair: %w", err) + } + tlsCfg := &tls.Config{ + Certificates: []tls.Certificate{cert}, + MinVersion: tls.VersionTLS12, + CipherSuites: []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, + } + + grpcSrv := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsCfg))) + metacryptv1.RegisterSystemServiceServer(grpcSrv, &systemServiceServer{s: s}) + + lis, err := net.Listen("tcp", s.cfg.Server.GRPCAddr) + if err != nil { + return fmt.Errorf("grpc: listen: %w", err) + } + + s.grpcSrv = grpcSrv + s.logger.Info("starting gRPC server", "addr", s.cfg.Server.GRPCAddr) + if err := grpcSrv.Serve(lis); err != nil { + return fmt.Errorf("grpc: serve: %w", err) + } + return nil +} + +// ShutdownGRPC gracefully stops the gRPC server. +func (s *Server) ShutdownGRPC() { + if s.grpcSrv != nil { + s.grpcSrv.GracefulStop() + } +} diff --git a/internal/server/server.go b/internal/server/server.go index 7599aef..50669ad 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -11,6 +11,7 @@ import ( "time" "github.com/go-chi/chi/v5" + "google.golang.org/grpc" internacme "git.wntrmute.dev/kyle/metacrypt/internal/acme" "git.wntrmute.dev/kyle/metacrypt/internal/auth" @@ -28,6 +29,7 @@ type Server struct { policy *policy.Engine engines *engine.Registry httpSrv *http.Server + grpcSrv *grpc.Server logger *slog.Logger version string