systemd-vaultd-update-secrets: do not depend on CREDENTIALS_DIRECTORY to be accessible

cmd/systemd-vaultd-update-secrets/main.go

@@ -13,18 +13,17 @@ const (
 	systemdVaultdir = "/run/systemd-vaultd/secrets"
 )
 
-func updateSecrets(credentialsDirectory, target string) error {
+func updateSecrets(serviceName, target string) error {
 	// get systemd service name from credentials directory
-	serviceName := path.Base(credentialsDirectory)
-	stat, err := os.Stat(credentialsDirectory)
+	stat, err := os.Stat(target)
 	if err != nil {
-		return fmt.Errorf("failed to stat %s: %w", credentialsDirectory, err)
+		return fmt.Errorf("failed to stat target %s: %w", target, err)
 	}
 	// inherit the owner and group of the credentials directory
 	uid := stat.Sys().(*syscall.Stat_t).Uid
 	gid := stat.Sys().(*syscall.Stat_t).Gid
 
-	jsonPath := path.Join(credentialsDirectory, fmt.Sprintf("%s.json", serviceName))
+	jsonPath := path.Join(systemdVaultdir, fmt.Sprintf("%s.json", serviceName))
 	var content []byte
 	for i := 0; i < 10; i++ {
 		content, err = os.ReadFile(jsonPath)
@@ -45,7 +44,6 @@ func updateSecrets(credentialsDirectory, target string) error {
 	}
 	for key, value := range data {
 		targetPath := path.Join(target, key)
-		err := os.MkdirAll(path.Dir(targetPath), 0o700)
 		os.Chown(path.Dir(targetPath), int(uid), int(gid))
 
 		if err != nil {
@@ -63,14 +61,14 @@ func main() {
 		fmt.Println("Usage: systemd-vaultd-update-secrets <target>")
 		os.Exit(1)
 	}
-	credentialsDirectory := os.Getenv("CREDENTIALS_DIRECTORY")
-	if credentialsDirectory == "" {
-		fmt.Println("CREDENTIALS_DIRECTORY environment variable must be set")
+	serviceName := os.Getenv("SYSTEMD_ACTIVATION_UNIT")
+	if serviceName == "" {
+		fmt.Println("SYSTEMD_ACTIVATION_UNIT not set")
 		os.Exit(1)
 	}
 
 	target := os.Args[1]
-	if err := updateSecrets(credentialsDirectory, target); err != nil {
+	if err := updateSecrets(serviceName, target); err != nil {
 		fmt.Println(err)
 		os.Exit(1)
 	}