priitp2/slistener.go

## slistener.go
package main

import (
        "flag"
        "fmt"
        "log"
        "net"
        "os"
        "os/signal"
        "path/filepath"
        "strings"
        "syscall"

        vault "github.com/hashicorp/vault/api"
)

var (
        socketPath  = flag.String("socket", "/run/cryptsetup.sock", "Unix socket path")
        vaultAddr   = flag.String("vault-addr", "", "Vault server address")
        vaultToken  = flag.String("vault-token", "", "Vault token")
        secretPath  = flag.String("secret-path", "", "Path to secret in Vault")
        secretField = flag.String("secret-field", "passphrase", "Field name containing the passphrase")
        logFile     = flag.String("log", "", "Log file path (defaults to stderr)")
)

func main() {
        flag.Parse()

        // Setup logging
        if *logFile != "" {
                f, err := os.OpenFile(*logFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0640)
                if err != nil {
                        log.Fatalf("Failed to open log file: %v", err)
                }
                defer f.Close()
                log.SetOutput(f)
        }

        // Validate required flags
        if *vaultAddr == "" || *vaultToken == "" || *secretPath == "" {
                log.Fatal("vault-addr, vault-token, and secret-path are required")
        }

        // Create socket directory if it doesn't exist
        socketDir := filepath.Dir(*socketPath)
        if err := os.MkdirAll(socketDir, 0755); err != nil {
                log.Fatalf("Failed to create socket directory: %v", err)
        }

        // Remove existing socket if present
        if _, err := os.Stat(*socketPath); err == nil {
                if err := os.Remove(*socketPath); err != nil {
                        log.Fatalf("Failed to remove existing socket: %v", err)
                }
        }

        // Create Unix socket listener
        listener, err := net.ListenUnix("unix", &net.UnixAddr{Name: *socketPath, Net: "unix"})
        if err != nil {
                log.Fatalf("Failed to create Unix socket: %v", err)
        }
        defer listener.Close()

        // Set socket permissions
        if err := os.Chmod(*socketPath, 0600); err != nil {
                log.Fatalf("Failed to set socket permissions: %v", err)
        }

        log.Printf("Listening on Unix socket: %s", *socketPath)

        // Handle signals for graceful shutdown
        sigChan := make(chan os.Signal, 1)
        signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
        go func() {
                <-sigChan
                log.Println("Shutting down...")
                listener.Close()
                os.Remove(*socketPath)
                os.Exit(0)
        }()

        // Initialize Vault client
        vaultClient, err := initVaultClient(*vaultAddr, *vaultToken)
        if err != nil {
                log.Fatalf("Failed to initialize Vault client: %v", err)
        }

        // Accept connections
        for {
                conn, err := listener.AcceptUnix()
                if err != nil {
                        log.Printf("Failed to accept connection: %v", err)
                        continue
                }

                go handleConnection(conn, vaultClient, *secretPath, *secretField)
        }
}

func initVaultClient(addr, token string) (*vault.Client, error) {
        config := vault.DefaultConfig()
        config.Address = addr

        client, err := vault.NewClient(config)
        if err != nil {
                return nil, fmt.Errorf("failed to create Vault client: %w", err)
        }

        client.SetToken(token)
        return client, nil
}
func handleConnection(conn *net.UnixConn, client *vault.Client, secretPath, secretField string) {
        defer conn.Close()

        // Read device name from connection
        buf := make([]byte, 1024)
        n, err := conn.Read(buf)
        if err != nil {
                log.Printf("Failed to read from connection: %v", err)
                return
        }

        deviceName := strings.TrimSpace(string(buf[:n]))
        log.Printf("Received request for device: %s", deviceName)

        // Get passphrase from Vault
        passphrase, err := getPassphraseFromVault(client, secretPath, deviceName, secretField)
        if err != nil {
                log.Printf("Failed to get passphrase for %s: %v", deviceName, err)
                return
        }

        // Send passphrase back to cryptsetup
        if _, err := conn.Write([]byte(passphrase + "\n")); err != nil {
                log.Printf("Failed to send passphrase: %v", err)
                return
        }

        log.Printf("Successfully sent passphrase for device: %s", deviceName)
}

func getPassphraseFromVault(client *vault.Client, basePath, deviceName, field string) (string, error) {
        // Construct the full path - you might want to customize this based on your Vault structure
        fullPath := fmt.Sprintf("%s/%s", basePath, deviceName)

        // Get secret from Vault
        secret, err := client.Logical().Read(fullPath)
        if err != nil {
                return "", fmt.Errorf("failed to read secret: %w", err)
        }

        if secret == nil || secret.Data == nil {
                return "", fmt.Errorf("no secret found at %s", fullPath)
        }

        // Extract passphrase from secret
        passphrase, ok := secret.Data[field].(string)
        if !ok {
                return "", fmt.Errorf("field %s not found in secret or not a string", field)
        }

        return passphrase, nil
}
	package main

	import (
	"flag"
	"fmt"
	"log"
	"net"
	"os"
	"os/signal"
	"path/filepath"
	"strings"
	"syscall"

	vault "github.com/hashicorp/vault/api"
	)

	var (
	socketPath = flag.String("socket", "/run/cryptsetup.sock", "Unix socket path")
	vaultAddr = flag.String("vault-addr", "", "Vault server address")
	vaultToken = flag.String("vault-token", "", "Vault token")
	secretPath = flag.String("secret-path", "", "Path to secret in Vault")
	secretField = flag.String("secret-field", "passphrase", "Field name containing the passphrase")
	logFile = flag.String("log", "", "Log file path (defaults to stderr)")
	)

	func main() {
	flag.Parse()

	// Setup logging
	if *logFile != "" {
	f, err := os.OpenFile(*logFile, os.O_APPEND\|os.O_CREATE\|os.O_WRONLY, 0640)
	if err != nil {
	log.Fatalf("Failed to open log file: %v", err)
	}
	defer f.Close()
	log.SetOutput(f)
	}

	// Validate required flags
	if vaultAddr == "" \|\| vaultToken == "" \|\| *secretPath == "" {
	log.Fatal("vault-addr, vault-token, and secret-path are required")
	}

	// Create socket directory if it doesn't exist
	socketDir := filepath.Dir(*socketPath)
	if err := os.MkdirAll(socketDir, 0755); err != nil {
	log.Fatalf("Failed to create socket directory: %v", err)
	}

	// Remove existing socket if present
	if _, err := os.Stat(*socketPath); err == nil {
	if err := os.Remove(*socketPath); err != nil {
	log.Fatalf("Failed to remove existing socket: %v", err)
	}
	}

	// Create Unix socket listener
	listener, err := net.ListenUnix("unix", &net.UnixAddr{Name: *socketPath, Net: "unix"})
	if err != nil {
	log.Fatalf("Failed to create Unix socket: %v", err)
	}
	defer listener.Close()

	// Set socket permissions
	if err := os.Chmod(*socketPath, 0600); err != nil {
	log.Fatalf("Failed to set socket permissions: %v", err)
	}

	log.Printf("Listening on Unix socket: %s", *socketPath)

	// Handle signals for graceful shutdown
	sigChan := make(chan os.Signal, 1)
	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
	go func() {
	<-sigChan
	log.Println("Shutting down...")
	listener.Close()
	os.Remove(*socketPath)
	os.Exit(0)
	}()

	// Initialize Vault client
	vaultClient, err := initVaultClient(vaultAddr, vaultToken)
	if err != nil {
	log.Fatalf("Failed to initialize Vault client: %v", err)
	}

	// Accept connections
	for {
	conn, err := listener.AcceptUnix()
	if err != nil {
	log.Printf("Failed to accept connection: %v", err)
	continue
	}

	go handleConnection(conn, vaultClient, secretPath, secretField)
	}
	}

	func initVaultClient(addr, token string) (*vault.Client, error) {
	config := vault.DefaultConfig()
	config.Address = addr

	client, err := vault.NewClient(config)
	if err != nil {
	return nil, fmt.Errorf("failed to create Vault client: %w", err)
	}

	client.SetToken(token)
	return client, nil
	}
	func handleConnection(conn net.UnixConn, client vault.Client, secretPath, secretField string) {
	defer conn.Close()

	// Read device name from connection
	buf := make([]byte, 1024)
	n, err := conn.Read(buf)
	if err != nil {
	log.Printf("Failed to read from connection: %v", err)
	return
	}

	deviceName := strings.TrimSpace(string(buf[:n]))
	log.Printf("Received request for device: %s", deviceName)

	// Get passphrase from Vault
	passphrase, err := getPassphraseFromVault(client, secretPath, deviceName, secretField)
	if err != nil {
	log.Printf("Failed to get passphrase for %s: %v", deviceName, err)
	return
	}

	// Send passphrase back to cryptsetup
	if _, err := conn.Write([]byte(passphrase + "\n")); err != nil {
	log.Printf("Failed to send passphrase: %v", err)
	return
	}

	log.Printf("Successfully sent passphrase for device: %s", deviceName)
	}

	func getPassphraseFromVault(client *vault.Client, basePath, deviceName, field string) (string, error) {
	// Construct the full path - you might want to customize this based on your Vault structure
	fullPath := fmt.Sprintf("%s/%s", basePath, deviceName)

	// Get secret from Vault
	secret, err := client.Logical().Read(fullPath)
	if err != nil {
	return "", fmt.Errorf("failed to read secret: %w", err)
	}

	if secret == nil \|\| secret.Data == nil {
	return "", fmt.Errorf("no secret found at %s", fullPath)
	}

	// Extract passphrase from secret
	passphrase, ok := secret.Data[field].(string)
	if !ok {
	return "", fmt.Errorf("field %s not found in secret or not a string", field)
	}

	return passphrase, nil
	}
No results found