cmd: Add client secret encryption option for clients import

Signed-off-by: Shota Sawada <xiootas@gmail.com>
ory · Mar 22, 2019 · 3912d44 · 3912d44
1 parent e8c6df8
commit 3912d44
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 18 deletions.
diff --git a/cmd/cli/handler_client.go b/cmd/cli/handler_client.go
@@ -27,7 +27,6 @@ import (
 	"os"
 	"strings"
 
-	"github.com/sawadashota/encrypta"
 	"github.com/spf13/cobra"
 
 	"github.com/ory/hydra/config"
@@ -57,6 +56,11 @@ func (h *ClientHandler) ImportClients(cmd *cobra.Command, args []string) {
 	cmdx.MinArgs(cmd, args, 1)
 	m := h.newClientManager(cmd)
 
+	ek, encryptSecret, err := newEncryptionKey(cmd, nil)
+	if err != nil {
+		cmdx.Must(err, "Failed to load encryption key: %s", err)
+	}
+
 	for _, path := range args {
 		reader, err := os.Open(path)
 		cmdx.Must(err, "Could not open file %s: %s", path, err)
@@ -69,6 +73,18 @@ func (h *ClientHandler) ImportClients(cmd *cobra.Command, args []string) {
 		checkResponse(err, http.StatusCreated, response)
 
 		if c.ClientSecret == "" {
+			if encryptSecret {
+				enc, err := ek.Encrypt([]byte(result.ClientSecret))
+				if err == nil {
+					fmt.Printf("Imported OAuth 2.0 Client %s from: %s\n", result.ClientId, path)
+					fmt.Printf("OAuth 2.0 Encrypted Client Secret: %s\n\n", enc.Base64Encode())
+					continue
+				}
+
+				fmt.Printf("Imported OAuth 2.0 Client %s:%s from: %s\n", result.ClientId, result.ClientSecret, path)
+				cmdx.Must(err, "Failed to encrypt client secret: %s", err)
+			}
+
 			fmt.Printf("Imported OAuth 2.0 Client %s:%s from: %s\n", result.ClientId, result.ClientSecret, path)
 		} else {
 			fmt.Printf("Imported OAuth 2.0 Client %s from: %s\n", result.ClientId, path)
@@ -93,23 +109,9 @@ func (h *ClientHandler) CreateClient(cmd *cobra.Command, args []string) {
 		fmt.Println("You should not provide secrets using command line flags, the secret might leak to bash history and similar systems")
 	}
 
-	var ek encrypta.EncryptionKey
-	var encryptSecret bool
-	pgpKey := flagx.MustGetString(cmd, "pgp-key")
-	pgpKeyURL := flagx.MustGetString(cmd, "pgp-key-url")
-	keybaseUsername := flagx.MustGetString(cmd, "keybase")
-	if pgpKey != "" {
-		ek, err = encrypta.NewPublicKeyFromBase64Encoded(pgpKey)
-		encryptSecret = true
-	} else if pgpKeyURL != "" {
-		ek, err = encrypta.NewPublicKeyFromURL(pgpKeyURL)
-		encryptSecret = true
-	} else if keybaseUsername != "" {
-		ek, err = encrypta.NewPublicKeyFromKeybase(keybaseUsername)
-		encryptSecret = true
-	}
+	ek, encryptSecret, err := newEncryptionKey(cmd, nil)
 	if err != nil {
-		cmdx.Fatalf("Failed to load encryption key")
+		cmdx.Must(err, "Failed to load encryption key: %s", err)
 	}
 
 	cc := hydra.OAuth2Client{
@@ -148,7 +150,7 @@ func (h *ClientHandler) CreateClient(cmd *cobra.Command, args []string) {
 
 				// executes this at last to print raw client secret
 				// because if executes immediately, nobody knows client secret
-				defer cmdx.Fatalf("Failed to encrypt client secret")
+				defer cmdx.Must(err, "Failed to encrypt client secret: %s", err)
 			}
 
 			fmt.Printf("OAuth 2.0 Client Secret: %s\n", result.ClientSecret)

diff --git a/cmd/cli/handler_helper.go b/cmd/cli/handler_helper.go
@@ -29,6 +29,7 @@ import (
 	"os"
 
 	"github.com/olekukonko/tablewriter"
+	"github.com/sawadashota/encrypta"
 	"github.com/spf13/cobra"
 
 	hydra "github.com/ory/hydra/sdk/go/hydra/swagger"
@@ -93,3 +94,34 @@ func newTable() *tablewriter.Table {
 
 	return table
 }
+
+// newEncryptionKey for client secret
+func newEncryptionKey(cmd *cobra.Command, client *http.Client) (ek encrypta.EncryptionKey, encryptSecret bool, err error) {
+	if client == nil {
+		client = http.DefaultClient
+	}
+
+	pgpKey := flagx.MustGetString(cmd, "pgp-key")
+	pgpKeyURL := flagx.MustGetString(cmd, "pgp-key-url")
+	keybaseUsername := flagx.MustGetString(cmd, "keybase")
+
+	if pgpKey != "" {
+		ek, err = encrypta.NewPublicKeyFromBase64Encoded(pgpKey)
+		encryptSecret = true
+		return
+	}
+
+	if pgpKeyURL != "" {
+		ek, err = encrypta.NewPublicKeyFromURL(pgpKeyURL, encrypta.HTTPClientOption(client))
+		encryptSecret = true
+		return
+	}
+
+	if keybaseUsername != "" {
+		ek, err = encrypta.NewPublicKeyFromKeybase(keybaseUsername, encrypta.HTTPClientOption(client))
+		encryptSecret = true
+		return
+	}
+
+	return nil, false, nil
+}
diff --git a/cmd/clients_create.go b/cmd/clients_create.go
@@ -36,6 +36,9 @@ as well.
 
 Example:
   hydra clients create -n "my app" -c http://localhost/cb -g authorization_code -r code -a core,foobar
+
+To encrypt auto generated client secret, use "--pgp-key", "--pgp-key-url" or "--keybase" flag, for example:
+  hydra clients create -n "my app" -g client_credentials -r token -a core,foobar --keybase keybase_username
 `,
 	Run: cmdHandler.Clients.CreateClient,
 }

diff --git a/cmd/clients_import.go b/cmd/clients_import.go
@@ -41,10 +41,18 @@ Please be aware that this command does not update existing clients. If the clien
 
 Example:
 	hydra clients import client-1.json
+
+To encrypt auto generated client secret, use "--pgp-key", "--pgp-key-url" or "--keybase" flag, for example:
+	hydra clients import client-1.json --keybase keybase_username
 `,
 	Run: cmdHandler.Clients.ImportClients,
 }
 
 func init() {
 	clientsCmd.AddCommand(clientsImportCmd)
+
+	// encrypt client secret options
+	clientsImportCmd.Flags().String("pgp-key", "", "Base64 encoded PGP encryption key for encrypting client secret")
+	clientsImportCmd.Flags().String("pgp-key-url", "", "PGP encryption key URL for encrypting client secret")
+	clientsImportCmd.Flags().String("keybase", "", "Keybase username for encrypting client secret")
 }