cindy 0.2.1

Managing infrastructure at breakneck speed.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

//! Runtime lookup of vault data-encryption keys (DEKs).
//!
//! V1 model — deliberately as boring as `ansible-vault`'s
//! `--vault-password-file`:
//!
//!   * Each vault `<name>` has a 32-byte key stored at `keys/<name>.dek`
//!     (relative to the orchestrator's working directory, overridable
//!     via the `CINDY_KEYS_DIR` env var).
//!   * `Secret::reveal()` reads `keys/<vault>.dek` on first use and
//!     caches the bytes in a process-global map.
//!   * Operators distribute `keys/<name>.dek` to teammates out-of-band
//!     (Signal, secure file copy, whatever) and `.gitignore` the
//!     directory so it never lands in the repo.
//!
//! The CLI marshals the DEKs for the vaults a host's secrets reference
//! into the orchestrator process via the `CINDY_VAULT_KEYS` env var (a
//! base64-encoded JSON map; see [`decode_env_keys`]). The orchestrator
//! installs them locally and forwards them to the worker over the RPC
//! handshake — the worker never receives key material through its
//! argv/env, only over the (SSH-protected) channel.

use std::collections::HashMap;
use std::path::{Path, PathBuf};
use std::sync::Mutex;

use base64::Engine as _;

use crate::Context;
use crate::secret::crypto::{DEK_LEN, Dek};

const DEFAULT_KEYS_DIR: &str = "keys";

/// Process-global keychain. Populated lazily as `Secret::reveal` calls
/// land. Thread-safe; cheap to look up; never serialised.
static KEYCHAIN: Mutex<Option<HashMap<String, Dek>>> = Mutex::new(None);

fn cache_get(vault: &str) -> Option<Dek> {
    KEYCHAIN.lock().ok()?.as_ref()?.get(vault).cloned()
}

fn cache_put(vault: String, dek: Dek) {
    let mut guard = KEYCHAIN.lock().expect("keychain mutex poisoned");
    guard.get_or_insert_with(HashMap::new).insert(vault, dek);
}

/// Bulk-install DEKs into the in-memory keychain. Used on the worker
/// side, where we get the DEKs in pre-decoded form from the
/// orchestrator through an env var.
pub fn install_keys(map: HashMap<String, Dek>) {
    let mut guard = KEYCHAIN.lock().expect("keychain mutex poisoned");
    let chain = guard.get_or_insert_with(HashMap::new);
    for (k, v) in map {
        chain.insert(k, v);
    }
}

/// Decode the `CINDY_VAULT_KEYS` env var (JSON `{vault: base64-DEK}`)
/// into a `{vault: raw-DEK-bytes}` map, or `None` if it isn't set.
///
/// Used on the orchestrator: the CLI marshals the operator's local DEKs
/// here (env is fine — it's the operator's own machine, not a target),
/// and the orchestrator both installs them locally *and* forwards the
/// raw bytes to the worker over the RPC handshake.
pub fn decode_env_keys() -> crate::Result<Option<HashMap<String, Vec<u8>>>> {
    let Some(raw) = std::env::var_os("CINDY_VAULT_KEYS") else {
        return Ok(None);
    };
    let raw = raw
        .into_string()
        .map_err(|_| anyhow_serde::Error::msg("CINDY_VAULT_KEYS is not valid UTF-8"))?;

    let table: HashMap<String, String> = serde_json::from_str(&raw)
        .context("CINDY_VAULT_KEYS was not a JSON map of {vault: base64-DEK}")?;

    let mut out = HashMap::new();
    for (vault, b64) in table {
        let bytes = base64::engine::general_purpose::STANDARD
            .decode(&b64)
            .context(format!("CINDY_VAULT_KEYS[{vault}] is not valid base64"))?;
        if bytes.len() != DEK_LEN {
            crate::bail!(
                "CINDY_VAULT_KEYS[{vault}] has the wrong byte length ({} \u{2260} {DEK_LEN})",
                bytes.len()
            );
        }
        out.insert(vault, bytes);
    }
    Ok(Some(out))
}

/// Install a `{vault: raw-DEK-bytes}` map into the keychain, validating
/// each key's length. Shared by the orchestrator (from env) and the
/// worker (from the RPC handshake).
pub fn install_raw_keys(map: HashMap<String, Vec<u8>>) -> crate::Result<()> {
    let mut out = HashMap::new();
    for (vault, bytes) in map {
        if bytes.len() != DEK_LEN {
            crate::bail!(
                "DEK for vault `{vault}` has the wrong byte length ({} \u{2260} {DEK_LEN})",
                bytes.len()
            );
        }
        let mut arr = [0u8; DEK_LEN];
        arr.copy_from_slice(&bytes);
        out.insert(vault, zeroize::Zeroizing::new(arr));
    }
    install_keys(out);
    Ok(())
}

/// Resolve the keys directory. Defaults to `./keys`, overridable via
/// `CINDY_KEYS_DIR` (useful for tests and air-gapped deployments).
pub fn keys_dir() -> PathBuf {
    std::env::var_os("CINDY_KEYS_DIR")
        .map(PathBuf::from)
        .unwrap_or_else(|| PathBuf::from(DEFAULT_KEYS_DIR))
}

pub fn dek_path(vault: &str) -> PathBuf {
    keys_dir().join(format!("{vault}.dek"))
}

fn read_dek_file(path: &Path) -> crate::Result<Option<Dek>> {
    let bytes = match std::fs::read(path) {
        Ok(b) => b,
        Err(e) if e.kind() == std::io::ErrorKind::NotFound => return Ok(None),
        Err(e) => return Err(e).context(format!("Reading {}", path.display())),
    };
    if bytes.len() != DEK_LEN {
        crate::bail!(
            "{} has the wrong size ({} bytes, expected {DEK_LEN}). \
             Either it isn't a cindy DEK file, or it got truncated. \
             Delete it and re-run `cindy secret vault create <name>` \
             (or restore it from wherever you have a backup).",
            path.display(),
            bytes.len()
        );
    }
    let mut arr = [0u8; DEK_LEN];
    arr.copy_from_slice(&bytes);
    Ok(Some(zeroize::Zeroizing::new(arr)))
}

/// Public entry point: get the DEK for `vault`. Looks at the in-memory
/// cache first, then falls back to the on-disk file. Returns an error
/// if no key is available — at runtime that means the operator forgot
/// to provision `keys/<vault>.dek` on this machine.
pub fn get_dek(vault: &str) -> crate::Result<Dek> {
    if let Some(dek) = cache_get(vault) {
        return Ok(dek);
    }
    let path = dek_path(vault);
    let Some(dek) = read_dek_file(&path)? else {
        crate::bail!(
            "no key for vault `{vault}` \u{2014} expected {} to exist. \
             Either run `cindy secret vault create {vault}` to bootstrap a new vault, \
             or copy the key file from a teammate who already has one.",
            path.display()
        );
    };
    cache_put(vault.to_owned(), dek.clone());
    Ok(dek)
}