store: feat encrypted filestore

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

Author: Benehiko

store/filestore/filestore.go

@@ -0,0 +1,154 @@
+package filestore
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"io"
+	"os"
+	"time"
+
+	"filippo.io/age"
+
+	"github.com/docker/secrets-engine/store"
+)
+
+type fileStore struct {
+	filesystem *os.Root
+	masterKey  string
+}
+
+var _ store.Store = &fileStore{}
+
+type keyStore map[string]string
+
+type file struct {
+	id              store.ID
+	metadata        map[string]string
+	encryptedSecret []byte
+}
+
+func getFile(id store.ID, filesystem *os.Root) (*file, error) {
+	fileName := base64.StdEncoding.EncodeToString([]byte(id.String()))
+	metadataFileName := "metadata-" + fileName
+	metadataStore, err := filesystem.Open(metadataFileName)
+	if err != nil {
+		return nil, err
+	}
+	defer metadataStore.Close()
+
+	fileStore, err := filesystem.Open(fileName)
+	if err != nil {
+		return nil, err
+	}
+	defer fileStore.Close()
+
+	var metadata map[string]string
+	b, err := io.ReadAll(metadataStore)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := json.Unmarshal(b, &metadata); err != nil {
+		return nil, err
+	}
+
+	encryptedSecret, err := io.ReadAll(fileStore)
+	if err != nil {
+		return nil, err
+	}
+
+	return &file{
+		metadata:        metadata,
+		encryptedSecret: encryptedSecret,
+		id:              id,
+	}, nil
+}
+
+func saveFile(f file, filesystem *os.Root) error {
+	fileName := base64.StdEncoding.EncodeToString([]byte(f.id.String()))
+	metadataFileName := "metadata-" + fileName
+	metadataStore, err := filesystem.Open(metadataFileName)
+	if err != nil {
+		return err
+	}
+	defer metadataStore.Close()
+	metadataStore.SetWriteDeadline(time.Now().Add(time.Second * 60))
+
+	fileStore, err := filesystem.Open(fileName)
+	if err != nil {
+		return err
+	}
+	defer fileStore.Close()
+	fileStore.SetWriteDeadline(time.Now().Add(time.Second * 60))
+
+	enc := json.NewEncoder(metadataStore)
+	if err := enc.Encode(f.metadata); err != nil {
+		return err
+	}
+	if err := fileStore.Truncate(0); err != nil {
+		return err
+	}
+	if _, err = fileStore.Write(f.encryptedSecret); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (f *fileStore) Delete(ctx context.Context, id store.ID) error {
+	panic("unimplemented")
+}
+
+func (f *fileStore) Filter(ctx context.Context, pattern store.Pattern) (map[string]store.Secret, error) {
+	panic("unimplemented")
+}
+
+func (f *fileStore) Get(ctx context.Context, id store.ID) (store.Secret, error) {
+	panic("unimplemented")
+}
+
+func (f *fileStore) GetAllMetadata(ctx context.Context) (map[string]store.Secret, error) {
+	panic("unimplemented")
+}
+
+func (f *fileStore) Save(ctx context.Context, id store.ID, secret store.Secret) error {
+	var err error
+
+	val, err := secret.Marshal()
+	if err != nil {
+		return err
+	}
+	metadata := secret.Metadata()
+
+	recipient, err := age.NewScryptRecipient(f.masterKey)
+	if err != nil {
+		return err
+	}
+
+	var encryptedSecret bytes.Buffer
+	w, err := age.Encrypt(&encryptedSecret, recipient)
+	if err != nil {
+		return err
+	}
+	if err := w.Close(); err != nil {
+		return err
+	}
+
+	if _, err := w.Write(val); err != nil {
+		return err
+	}
+
+	return saveFile(file{
+		id:              id,
+		encryptedSecret: encryptedSecret.Bytes(),
+		metadata:        metadata,
+	}, f.filesystem)
+}
+
+func NewFileStore(rootDir *os.Root, masterKey string) (store.Store, error) {
+	return &fileStore{
+		masterKey:  masterKey,
+		filesystem: rootDir,
+	}, nil
+}

store/filestore/filestore_test.go

@@ -0,0 +1,16 @@
+package filestore
+
+import "testing"
+
+func TestFilestore(t *testing.T) {
+	tests := []struct {
+		desc string
+	}{
+		{
+			desc: "will create a store if there is none",
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.desc, func(t *testing.T) {})
+	}
+}

store/go.mod

@@ -8,6 +8,7 @@ go 1.24.3
 replace github.com/docker/secrets-engine => ../
 
 require (
+	filippo.io/age v1.2.1
 	github.com/Benehiko/go-keychain/v2 v2.0.0
 	github.com/danieljoos/wincred v1.2.2
 	github.com/docker/secrets-engine v0.0.7

store/go.sum

@@ -1,3 +1,7 @@
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3IqwfuN5kgDfo5MLzpNM0=
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZkG3FHa72zUprnhd3v/Z18Snm4w=
+filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
+filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
 github.com/Benehiko/go-keychain/v2 v2.0.0 h1:1savOWp6On9jC+QIBbk8qYZpaqFNF0HwL02aqgRSaro=
 github.com/Benehiko/go-keychain/v2 v2.0.0/go.mod h1:Qs/Ke0XjDSN07acDqQ89qXyE/mVGmIqB1qpsyu+Th0Q=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=