systemd-openbao/cmd/systemd-vaultd-update-secrets/main.go

package main

import (
	"encoding/json"
	"fmt"
	"os"
	"path"
	"syscall"
	"time"
)

const (
	systemdVaultdir = "/run/systemd-vaultd/secrets"
)

func updateSecrets(serviceName, target string) error {
	// get systemd service name from credentials directory
	stat, err := os.Stat(target)
	if err != nil {
		return fmt.Errorf("failed to stat target %s: %w", target, err)
	}
	// inherit the owner and group of the credentials directory
	uid := stat.Sys().(*syscall.Stat_t).Uid
	gid := stat.Sys().(*syscall.Stat_t).Gid

	jsonPath := path.Join(systemdVaultdir, fmt.Sprintf("%s.json", serviceName))
	var content []byte
	for i := 0; i < 10; i++ {
		content, err = os.ReadFile(jsonPath)
		if err != nil {
			if os.IsNotExist(err) {
				// wait for the file to be created
				fmt.Printf("waiting for %s to be created", jsonPath)
				time.Sleep(1 * time.Second)
				continue
			}
			return fmt.Errorf("failed to read vault json file %s: %w", serviceName, err)
		}
		break
	}
	var data map[string]interface{}
	if err := json.Unmarshal(content, &data); err != nil {
		return fmt.Errorf("failed to unmarshal json from %s: %w", jsonPath, err)
	}
	for key, value := range data {
		targetPath := path.Join(target, key)
		os.Chown(path.Dir(targetPath), int(uid), int(gid))

		if err != nil {
			return fmt.Errorf("failed to create directory %s: %w", path.Dir(targetPath), err)
		}
		os.WriteFile(targetPath, []byte(value.(string)), 0o400)
		os.Chown(targetPath, int(uid), int(gid))
	}

	return nil
}

func main() {
	if len(os.Args) != 2 {
		fmt.Println("Usage: systemd-vaultd-update-secrets <target>")
		os.Exit(1)
	}
	serviceName := os.Getenv("SYSTEMD_ACTIVATION_UNIT")
	if serviceName == "" {
		fmt.Println("SYSTEMD_ACTIVATION_UNIT not set")
		os.Exit(1)
	}

	target := os.Args[1]
	if err := updateSecrets(serviceName, target); err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
}
get rid systemd patches 2 years ago			`package main`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"os"`
			`"path"`
			`"syscall"`
			`"time"`
			`)`

			`const (`
			`systemdVaultdir = "/run/systemd-vaultd/secrets"`
			`)`

systemd-vaultd-update-secrets: do not depend on CREDENTIALS_DIRECTORY to be accessible 2 years ago			`func updateSecrets(serviceName, target string) error {`
get rid systemd patches 2 years ago			`// get systemd service name from credentials directory`
systemd-vaultd-update-secrets: do not depend on CREDENTIALS_DIRECTORY to be accessible 2 years ago			`stat, err := os.Stat(target)`
get rid systemd patches 2 years ago			`if err != nil {`
systemd-vaultd-update-secrets: do not depend on CREDENTIALS_DIRECTORY to be accessible 2 years ago			`return fmt.Errorf("failed to stat target %s: %w", target, err)`
get rid systemd patches 2 years ago			`}`
			`// inherit the owner and group of the credentials directory`
			`uid := stat.Sys().(*syscall.Stat_t).Uid`
			`gid := stat.Sys().(*syscall.Stat_t).Gid`

systemd-vaultd-update-secrets: do not depend on CREDENTIALS_DIRECTORY to be accessible 2 years ago			`jsonPath := path.Join(systemdVaultdir, fmt.Sprintf("%s.json", serviceName))`
get rid systemd patches 2 years ago			`var content []byte`
			`for i := 0; i < 10; i++ {`
			`content, err = os.ReadFile(jsonPath)`
			`if err != nil {`
			`if os.IsNotExist(err) {`
			`// wait for the file to be created`
			`fmt.Printf("waiting for %s to be created", jsonPath)`
			`time.Sleep(1 * time.Second)`
			`continue`
			`}`
			`return fmt.Errorf("failed to read vault json file %s: %w", serviceName, err)`
			`}`
			`break`
			`}`
			`var data map[string]interface{}`
			`if err := json.Unmarshal(content, &data); err != nil {`
			`return fmt.Errorf("failed to unmarshal json from %s: %w", jsonPath, err)`
			`}`
			`for key, value := range data {`
			`targetPath := path.Join(target, key)`
			`os.Chown(path.Dir(targetPath), int(uid), int(gid))`

			`if err != nil {`
			`return fmt.Errorf("failed to create directory %s: %w", path.Dir(targetPath), err)`
			`}`
			`os.WriteFile(targetPath, []byte(value.(string)), 0o400)`
			`os.Chown(targetPath, int(uid), int(gid))`
			`}`

			`return nil`
			`}`

			`func main() {`
			`if len(os.Args) != 2 {`
			`fmt.Println("Usage: systemd-vaultd-update-secrets <target>")`
			`os.Exit(1)`
			`}`
systemd-vaultd-update-secrets: do not depend on CREDENTIALS_DIRECTORY to be accessible 2 years ago			`serviceName := os.Getenv("SYSTEMD_ACTIVATION_UNIT")`
			`if serviceName == "" {`
			`fmt.Println("SYSTEMD_ACTIVATION_UNIT not set")`
get rid systemd patches 2 years ago			`os.Exit(1)`
			`}`

			`target := os.Args[1]`
systemd-vaultd-update-secrets: do not depend on CREDENTIALS_DIRECTORY to be accessible 2 years ago			`if err := updateSecrets(serviceName, target); err != nil {`
get rid systemd patches 2 years ago			`fmt.Println(err)`
			`os.Exit(1)`
			`}`
			`}`