Merge pull request #4 from hooksie1/new-micro

New micro

Author: hooksie1

.github/workflows/release.yaml

@@ -1,58 +1,28 @@
-name: release
-on: [push, pull_request]
+name: tagged release
+on:
+  push:
+    tags:
+      - '*'
+permissions:
+  id-token: write
+  contents: read
 jobs:
   test:
-    strategy:
-      matrix:
-        go-version: [ 1.22.x ]
-        os: [ ubuntu-latest ]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ matrix.go-version }}
-      - name: Checkout code 
-        uses: actions/checkout@v2 
-      - uses: actions/cache@v2 
-        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go- 
-      - name: Test
-        run: go test ./... 
+    uses: ./.github/workflows/test.yaml
   release:
+    needs: [test]
     permissions:
       id-token: write
-      contents: write 
+      contents: write
     runs-on: ubuntu-latest
-    needs: test
-    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     steps:
-      - name: Checkout
+      - name: Checkout code
         uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Set up Go 
-        uses: actions/setup-go@v2
-        with: 
-          go-version: 1.22
-      - uses: actions/cache@v2
-        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v5
         with:
           distribution: goreleaser
-          version: 'v1.2.5'
-          args: release --rm-dist
+          version: latest
+          args: release --clean
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}

.github/workflows/test.yaml

@@ -0,0 +1,29 @@
+name: test
+on: 
+  push:
+    paths:
+      - '**.go'
+  workflow_call:
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [ 1.22.x ]
+        os: [ ubuntu-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Test
+        run: make test
+      - name: Coverage
+        run: make coverage
+      - name: store coverage
+        uses: actions/upload-artifact@v2
+        with:
+          name: test-coverage
+          path: ./coverage.html 

Dockerfile

@@ -0,0 +1,15 @@
+FROM golang:alpine as builder
+WORKDIR /app
+ENV IMAGE_TAG=dev
+RUN apk update && apk upgrade && apk add --no-cache ca-certificates git
+RUN update-ca-certificates
+ADD . /app/
+RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -a -ldflags="-s -w -X 'github.com/hooksie1/piggybank/cmd.Version=$(printf $(git describe --tags | cut -d '-' -f 1)-$(git rev-parse --short HEAD))'" -installsuffix cgo -o piggybankctl .
+
+
+FROM scratch
+
+COPY --from=builder /app/piggybankctl .
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+ENTRYPOINT ["./piggybankctl"]    

Makefile

@@ -0,0 +1,52 @@
+PROJECT_NAME := "piggybank"
+PKG := "github.com/hooksie1/piggybank"
+PKG_LIST := $(shell go list ${PKG}/... | grep -v /vendor/)
+GO_FILES := $(shell find . -name '*.go' | grep -v /vendor/ | grep -v _test.go)
+VERSION := $(shell if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then git describe --exact-match --tags HEAD 2>/dev/null || echo "dev-$(shell git rev-parse --short HEAD)"; else echo "dev"; fi)
+GOOS=$(shell go env GOOS)
+GOARCH=$(shell go env GOARCH)
+
+.PHONY: all build docker deps clean test coverage lint docker-local edgedb k8s-up k8s-down docker-delete docs update-local deploy-local
+
+all: build
+
+deps: ## Get dependencies
+	go install github.com/fzipp/gocyclo/cmd/gocyclo@latest
+
+lint: deps ## Lint the files
+	go vet
+	gocyclo -over 10 -ignore "generated" ./
+
+test: lint ## Run unittests
+	go test -v ./...
+
+coverage: ## Create test coverage report
+	go test -cover ./...
+	go test ./... -coverprofile=cover.out && go tool cover -html=cover.out -o coverage.html
+
+goreleaser: tidy ## Creates local multiarch releases with GoReleaser
+	goreleaser release --snapshot --rm-dist
+
+tidy: ## Pull in dependencies
+	go mod tidy && go mod vendor
+
+fmt: ## Format All files
+	go fmt ./...
+
+piggybankctl: ## Builds the binary on the current platform
+	go build -mod=vendor -a -ldflags "-w -X '$(PKG)/cmd.Version=$(VERSION)'" -o $(PROJECT_NAME)ctl
+
+docs: ## Builds the cli documentation
+	mkdir -p docs
+	./piggybankctl docs
+
+schema: ## Generates boilerplate code from the graph/schema.graphqls file
+	go run github.com/99designs/gqlgen update
+
+clean: ## Remove previous build
+	git clean -fd
+	git clean -fx
+	git reset --hard
+
+help: ## Display this help screen
+	@grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

README.md

@@ -1,6 +1,6 @@
 # Piggy Bank
 
-Piggy Bank is a secrets storage tool for applications that works with NATS. Secrets are stored encrypted in JetStream and can be retrieved as long as the requestor has access to the subject.
+Piggy Bank is a secrets storage tool for applications that works with NATS. Secrets are stored encrypted in a JetStream KV and can be retrieved as long as the requestor has access to the subject.
 
 A decryption key is returned from the initialization phase. If this key is lost, all of the data is unrecoverable.
 
@@ -10,18 +10,23 @@ Be sure to add the KV bucket to NATS: `nats kv add piggybank`
 
 ## Example Usage
 
-1. Start piggybank `piggybank start`
-2. Initialize the database `nats req piggybankdb.initialize ""`
-3. Unlock the database with key sent from step 1 `nats req piggybankdb.unlock '{"database_key": "foobar"}'`
-4. Add a secret for an application `nats req -H method:post piggybank.myapplication.registrySecret "somesecrettext"`
-5. Retrieve a secret `nats req -H method:get piggybank.myapplication.registrySecret ""`
-6. Lock the database `nats req piggybankdb.lock ""`
-7. Try to retrieve the secret again `nats req -H method:get piggybank.myapplication.registrySecret ""`
+1. Start piggybank `piggybank service start`
+2. Initialize the database `piggybank client database initialize`
+3. Unlock the database with key sent from step 1 `piggybank client database unlock --key foo`
+4. Add a secret for an application `piggybank client secret add --id foo --value bar`
+5. Retrieve a secret `piggybank client secret get --id foo`
+6. Lock the database `piggybank client database lock`
+7. Try to retrieve the secret again `piggybank client secret get --id foo`
 
 ## Permissions
-Permissions are defined as normal NATS subject permissions. If you have access to a subject, then you can retrieve the secrets. This means the permissions can be as granular as desired.
+Permissions are defined as normal NATS subject permissions. If you have access to a subject, then you can retrieve the secrets. This means the permissions can be as granular as desired. 
 
-## Config
-Piggy Bank requires a config file. It uses Cue to read the configs, but the configs can also be in json or yaml format.
+NOTE: Please ensure to set proper permissions for inbox responses. It is recommended to not use the default _INBOX subject for responses and to set granular inboxes for requests to piggybank.
 
-The Cue schema is in `cmd/schema.cue`.
+## NATS Connection
+
+Piggybank supports multiple auth methods for NATS. 
+
+1. Your current NATS context
+2. A path to a credentials file
+3. Env vars for the JWT and SEED

cmd/client.go

@@ -0,0 +1,20 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var clientCmd = &cobra.Command{
+	Use:              "client",
+	Short:            "Client interactions with the service",
+	PersistentPreRun: bindClientCmdFlags,
+}
+
+func init() {
+	rootCmd.AddCommand(clientCmd)
+	natsFlags(clientCmd)
+}
+
+func bindClientCmdFlags(cmd *cobra.Command, args []string) {
+	bindNatsFlags(cmd)
+}

cmd/config.go

@@ -0,0 +1,72 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/hooksie1/piggybank/service"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var databaseCmd = &cobra.Command{
+	Use:          "database",
+	Short:        "Interact with the piggybank db, valid args are init, lock, unlock",
+	RunE:         database,
+	Args:         cobra.MatchAll(cobra.MinimumNArgs(1), cobra.OnlyValidArgs),
+	ValidArgs:    []string{"init", "lock", "unlock"},
+	SilenceUsage: true,
+}
+
+func init() {
+	clientCmd.AddCommand(databaseCmd)
+	databaseCmd.Flags().String("key", "", "Database key")
+	viper.BindPFlag("key", databaseCmd.Flags().Lookup("key"))
+}
+
+func database(cmd *cobra.Command, args []string) error {
+	nc, err := newNatsConnection("piggy-client")
+	if err != nil {
+		return err
+	}
+	key := viper.GetString("key")
+
+	switch args[0] {
+	case "init":
+		msg, err := nc.Request("piggybank.database.initialize", nil, 1*time.Second)
+		if err != nil {
+			return err
+		}
+
+		fmt.Println(string(msg.Data))
+		return nil
+	case "unlock":
+		if key == "" {
+			return fmt.Errorf("database key required")
+		}
+
+		req := service.DatabaseKey{DBKey: key}
+
+		data, err := json.Marshal(req)
+		if err != nil {
+			return err
+		}
+		msg, err := nc.Request("piggybank.database.unlock", data, 1*time.Second)
+		if err != nil {
+			return err
+		}
+
+		fmt.Println(string(msg.Data))
+
+	case "lock":
+		msg, err := nc.Request("piggybank.database.lock", nil, 1*time.Second)
+		if err != nil {
+			return err
+		}
+
+		fmt.Println(string(msg.Data))
+	}
+
+	return nil
+}